On Wed, 05 Aug 2009 15:35:55 +0200, Mart Frauenlob <mart.frauenlob@xxxxxxxxx> wrote: > Julien Vehent wrote: >> Hello Nicholas, >> >> >> On Mon, 27 Jul 2009 13:56:59 -0400, NICHOLAS KLINE <nkline@xxxxxxxx> >> wrote: >> >>> # Tell netfilter that all TCP sessions do indeed begin with SYN >>> >>> $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG >>> --log-prefix "Stealth scan attempt?" >>> $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP >>> >> >> My understanding of the conntrack subsystem is that a connection cannot >> be >> in the state NEW without a syn packet, therefore I don't think this is >> useful. >> >> >> > Wrong, from the iptables tutorial 1.2.2 at frozentux: > http://iptables-tutorial.frozentux.net/iptables-tutorial.html#STATEMACHINE > > The NEW state tells us that the packet is the first packet that we see. > This means that the first packet that the conntrack module sees, within > a specific connection, will be matched. For example, if we see a SYN > packet and it is the first packet in a connection that we see, it will > match. However, the packet may as well not be a SYN packet and still be > considered NEW. > OK, I thought conntrack was doing some sort of protocol validation. I suppose then that Linux will reply with some sort of RST packet. Thus, I'm not quite sure to understand how this is a threat... > greets > > Mart Julien -- julien http://jve.linuxwall.info/blog -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
