On 07.01.2017 00:26, Neal P. Murphy wrote: > Dumb question: can you reset a TCP conn that isn't ESTABLISHED? I don't think a TCP reset applies to the first SYN packet. Yes, you can and have to. It's specified as such. It does. > -A timedaction -p tcp -m state --state ESTABLISHED -j REJECT --reject-with tcp-reset > -A timedaction -j REJECT --reject-with icmp-admin-prohibited You should reject all TCP packets, not just the ones that belong to an established connection. > and further packets in that direction are rejected with ICMP 'admin prohibited' packets. That's invalid behaviour. See above. > All other conns, including each reset direction of TCP conns, are rejected via ICMP. See above. -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Attachment:
signature.asc
Description: OpenPGP digital signature
