On 10 Dec 2001, Matt Kowske wrote: > > I am trying to setup a firewall, and have read and seen in some firewall > scripts lines similar this: > > iptables -A <chain> -p tcp ! --syn -m state --state NEW -j DROP > > This lane basically says, as I understand it, that all new packets that > are not of the "SYN" state will be dropped. I've read that it is TCP > protocol to always first send a SYN packet to establish the connection > and so any connection that first sends a packet that is NOT of the SYN > state, should be dropped because it is suspicious of something bad going > on. As you said, the TCP Handshake starts with a SYN http://laxmi.crump.ucla.edu:8888/ACGME_class/AChang_1-31-00/sld033.htm > This made sense to me at first, but I have been logging any of > these "new, but no syn packet" packets for about a week now, and get > them quite frequently from a wide variety of respectable websites. I > doubt these domains are trying to hack me and so I'm wondering if this > is normal and I shouldn't be dropping these packets. It doesn't seem to > affect any connections by dropping these packets. Anyone know what's > going on here? Thanks in advance. > > -Matt Kowske I would not remove that rule. How are you logging? I don't see the word "LOG" in your rule. Could you send part of the log information here? Do a tcpdump and send a packet? Or tell us the sites that you say are doing that so i/we can check what they send? tnx David Correa RHCE CCNA _ _ _ _ _ _ _ _ ___ ____ ____ _ _ tech@linux-tech.com | | |\ | | | \/ | |___ | |__| http://www.linux-tech.com |___ | | \| |__| _/\_ | |___ |___ | | ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
