On Mon, 3 Oct 2005, Michael Schoen wrote:
I think the only valid state for such pkgs would be INVALID, which makes those pkgs as TARGET-type available... Everything else should be mangaged within the user space..
CONNTRACK is not about firewalling, it is about tracking connections. INVALID is not "these packets is dangerous". It is "these packets can not under any circumstances belong to a valid session".
I would actually DROP those targets...
Then I think you should also DROP loone ACK and a number of other packet types, simply done by
-m state --state NEW -p tcp \! --syn which clearly states that you do not accept resume of old sessions. Regards Henrik