I assume that LOG-AND-DROP is your own chain, crafted so that you can perform both functions with a single entry? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Paul Blondé > -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Marc Cozzi > Sent: Wednesday, May 16, 2007 5:19 AM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: RE: is it possible to block ip packets that contains > experimentaltcp options ? > > > > Glenn, > > Not sure what you mean by "experimental" however, there are > some conditions of flags that should never occur on the > network. These can be trapped with rules similar to the following. > > iptables -A BLOCKED -m state --state INVALID -j LOG-AND-DROP > iptables -A BLOCKED -p tcp --tcp-flags ALL ALL -j LOG-AND-DROP > iptables -A BLOCKED -p tcp --tcp-flags ALL NONE -j LOG-AND-DROP > > --marc > > > > -----Original Message----- > > From: Glenn Terjesen [mailto:glenn@xxxxxxxxx] > > Sent: Wednesday, May 16, 2007 5:24 AM > > To: netfilter@xxxxxxxxxxxxxxxxxxx > > Subject: is it possible to block ip packets that contains > > experimental tcp options ? > > > > Hello, > > got a iptables firewall filtering our servers. > > > > Is it possible to block tcp packets that contains > > experimental tcp options ? > > > > AND is it smart to do so ? > > > > > > -- > > Mvh Glenn Terjesen @ Webcat AS > > Tlf: +47 37 02 20 20 > > E-post: support@xxxxxxxxx > > >
