Problems with more than one iptables-router based are pretty
obvious. This 'new but not syn' feature was apparently built exactly for
these situations. Altough, I'm analising this in a specific situation:
only 1 iptables based router.
Dropping INVALID packets seems to not deal with these packets. As I
stated, iptables recognizes them as NEW state. So a rule that drop
INVALID ones wouldnt care about them.
Sincerily,
Leonardo Rodrigues
----- Original Message -----
From: <sekureat_private>
To: "Leonardo Rodrigues" <coelhoat_private>
Sent: Tuesday, December 11, 2001 4:38 PM
Subject: Re: iptables 'syn but not new' packets
> Although this should be safe for single machines, such a setting
> may cause problems for LANs which have multiple routers connecting
them.
>
> Suppose the SYN and the SYN/ACK travel through one router, but the
ACK,
> or, perhaps some other packets travel through another router.
> Packets seen by this second router are classified NEW or INVALID
> by iptables.
>
> Since dropping INVALID-classified packets appears to be a common
practice,
> I may be overlooking something. Any ideeas?
This archive was generated by hypermail 2b30 : Thu Dec 13 2001 - 08:41:41 PST