On Fri, 2005-06-10 at 14:08 -0400, Jason Opperisano wrote: > On Thu, Jun 09, 2005 at 08:26:38AM +0200, Rob Sterenborg wrote: > > If -m state is not specified then, in my experience, -m state --state > > NEW is assumed (someone please correct me if I'm telling nonsense here) > > so your rules *will* allow new connections. > > that is; indeed, nonsense. In that case I don't understand why both rules seem to do the same job. Both : $ipt -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT and : $ipt -A INPUT -i eth0 -m state --state NEW -p tcp --dport 22 -j ACCEPT only work in combination with : $ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT At least, here it does. I was just looking at Oskar's tutorial where I read that the state matches are explicit thus have to be specifically loaded for them to work. Does this means that if I don't specify a state match in a rule, the rule just won't match any state ? Assuming that that's true in the first rule, a packet coming in on port 22 would be accepted regardless of state ? In practice I know that that's not true because when I use the first rule without accepting RELATED or ESTABLISHED, I *cannot* connect to sshd. When I add the RELATED,ESTABLISHED accept rule, I *can* connect to sshd. (And this is how I would expect it to work.) So, what is the difference in specifying and not specifying --state NEW in a rule ? Gr, Rob
