On Fri, 2 Dec 2005 Frank.Mayer@xxxxxxxxxxxxxxxxx wrote: > Nevertheless I like to expressly state "-s 0/0 -d 0/0" for > understandability. Presently that's all right, because it does not cost anything (i.e. does bnot slow down the evaluation): source and destination address matchings are implicitly always applied. (However as sooner or later new packet classification algorithm will replace the current one, that can be untrue in the future and *can* mean wasted CPU cycles.) > I have one more request, if I may bother you once again: > can you point me to some documentation that clarifies state matching from > a user's point of view? > I do understand "NEW" and "ESTABLISHED" related to TCP, but their meaning > for e.g. UDP and ICMP mostly eludes me, as does the "RELATED" state: > under which circumstances is one connection considered "related" to > another one (does that depend on the interpretation of the respective > conntrack-module, or is there a general definition)? Oskar Andreasson's iptables tutorial is very good in explaining the details behind iptables/netfilter from user point of view: http://iptables-tutorial.frozentux.net/ Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
