Query: Stateful parameters Explicitly and Implicitly defined, which is it?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dear experts,

If a rule has a state of NEW does it implicitly imply ESTABLISHED also?

Looking at examples on the web I see references to both.

For example to permit access to an internal Web server, which of the straw-man rules are correct?

Implicit Established Example:
iptables -a FORWARD -i eth0 --dport 80 -m state --state NEW -j ACCEPT

Explicit Established Example:
iptables -a FORWARD -i eth0 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT


Similarly, I see reference to setting TCP flags as a control measure. Particularly for port scanning etc. However sticking with the Web server example, an internal Web Server should expect a client to initiate a connection (SYN flag) but the server itself should not do this.

example strawman-rules of the stateless kind:
iptables -a FORWARD -i eth0 --dport 80 --tcp-flags SYN -j ACCEPT

iptables -a FORWARD -o eth1 --sport 80 --tcp-flags ACK -j ACCEPT

The thing is, what happens after the 3-way handshake? Incoming http requests will no longer have a SYN flag set! So is there some implicit knowledge that netfilter or other packet filters operate over?

regards,
Will.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux