On Monday 2011-07-18 02:01, netfilter@xxxxxxxxxxxxxx wrote: >In the course of troubleshooting a very simple iptables ruleset that is >inexplicably dropping packets (more on that later) I came across a >explanation in a Iptables Firewall book regarding the NEW state when >using "-m state --state NEW" in a rule. Use -m conntrack --ctstate NEW/etc. >It states "NEW is equivalent to the initial TCP syn request, or to the >first UDP packet". I have also seen in some resources that "-m state >--state NEW" will allow any packet through whether a syn bit is set or >not. NFCT can also pick up connections, so NEW does not necessarily correspond to TCP SYN. (Cf. sysctl net.netfilter.nf_conntrack_tcp_be_liberal) -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
