Re: iptables 'new but not syn' packets

From: Cedric Blancher (blancher@cartel-info.fr)
Date: Fri Dec 14 2001 - 02:13:00 PST

Next message: Chatfield, Randy: "RE: Again: Possible DoS attack against Sun Ray Servers?"

Previous message: Hanspeter Schmid: "Again: Possible DoS attack against Sun Ray Servers?"
In reply to: Leonardo Rodrigues: "Re: iptables 'new but not syn' packets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

le jeu 13-12-2001 à 15:20, Leonardo Rodrigues a écrit :
>     Dropping INVALID packets seems to not deal with these packets. As I
> stated, iptables recognizes them as NEW state. So a rule that drop
> INVALID ones wouldnt care about them.

INVALID is a specific state for packets which state cannot be classified
as NEW, ESTABLISHED or RELATED. Which means INVALID packets are very
ugly :/ NEW state is relative to existing connection table : a packet
that cannot be attached to a existing connection is NEW, wether it is a
TCP SYN or not.
As an example, an ICMP error hich is not RELATED to an ESTABLISHED
connection has an INVALID state.

-- 
Cédric Blancher
Consultant sécurité systèmes et réseaux
Cartel Informatique - Groupe CGBI - http://www.cartel-info.fr/
Tél : 01 44 06 97 87 - Fax 01 44 06 97 99

Next message: Chatfield, Randy: "RE: Again: Possible DoS attack against Sun Ray Servers?"
Previous message: Hanspeter Schmid: "Again: Possible DoS attack against Sun Ray Servers?"
In reply to: Leonardo Rodrigues: "Re: iptables 'new but not syn' packets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Dec 14 2001 - 08:41:49 PST