--syn and NEW are same ? or ?

--syn and NEW are same ? or ?

[CC commmunication]

Hi
I am a bit confused aobut SYN, ACK and New and Established. Please increase my knowledge by giving you little from important time. I will be very thankful for the kind consideration.
 
is there any difference between chechking --SYN  or using  NEW in iptables command,  as well as is there any difference between --ACK and Estalished ,
i am asking in the sence that , if state of TCP packet can be matched with the checking FLAG bits in tcp header then wts  new in ,,, NEW,ESTABLISHED, RELATED, 
 
 
I can just find that NEW works to check the on the following link , 
(
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -A INPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
will allow ssh connections to your firewall, and gives you the benefit of 
checking both NEW state and the SYN flag.will allow ssh connections to your firewall, and gives you the benefit of 
checking both NEW state and the SYN flag.
 
http://archives.free.net.ph/message/20020724.124732.c3fdc39e.en.html )
 
Where as in netfilter hot to is says (
 

NEW 
   
A packet which creates a new connection.

ESTABLISHED 
   
A packet which belongs to an existing connection (i.e., a reply packet, or outgoing packet on a connection which has seen replies).)

   
And further more in (

   
Taming the Wild Netfilter http://www.linuxjournal.com/article/4815

   
It says  As for the ESTABLISHED, RELATED, NEW and INVALID arguments, they are more than they appear to be. ESTABLISHED permits traffic to continue where it has seen traffic before in both directions. ESTABLISHED obviously applies to TCP connections but also to UDP traffic, such as DNS queries and traceroutes as well as ICMP pings. In fact, packets are first checked to see if the connection exists in the connection tracking table (/proc/net/ip_conntrack). If so, the chains aren't run, the original rule is applied and the packets pass. In some cases, Netfilter is faster than its predecessor because of this check. The RELATED argument covers a multitude of sins. This argument is applied to active FTP, which opens a related connection on port 20, but also applies to ICMP traffic related to the TCP connection. The NEW argument applies to packets with only the SYN bit set (and the ACK bit unse
 t). The INVALID applies to packets that have invalid sets of options, as in an XMAS tree scan.

   
) 

   
Please explain as  i want to know is what is more in NEW , Establishe drather than just checking SYN and ACK flags in tcp header... or does it maintains a state table itself, containing source and estination ip addresses and ports to track the connections passing through...


 
 
		
---------------------------------
 Start your day with Yahoo! - make it your home page 

STRING module

[Alex Sirbu]

Hi,

I am trying to patch a vanilla kernel 2.6.12.5 using POM ( 
patch-o-matic-ng-20050701 ) but I have a problem : the STRING modules is not 
listed into base, pending or extra extensions.

How can I force POM to patch my kernel with this extension ?

Regards,



-Alex Sirbu-
alex@as.ro



____________________________________________________
Test your Internet Connection with As.Ro Speed Test - http://www.as.ro/bandtest/?mailref
High website revenue with just a simple search box: http://www.geenza.com/affiliates.php

Re: STRING module

[Alex Sirbu]

I don't need help anymore; I've got an ugly answer by myself :

# cat patch-o-matic-ng-20050701/patchlets/string/info
Title: iptables string match
Author: Emmanuel Roger <winfield@freegates.be>
Status: Working, not with kernel 2.4.9
Repository: extra
Requires: linux < 2.6.0


Does anybody have any idea of some similar netfilter extension ? ( string 
match/replace )



-Alex Sirbu-
alex@as.ro

----- Original Message ----- 
From: "Alex Sirbu" <alex@as.ro>
To: <netfilter@lists.netfilter.org>
Sent: Sunday, August 28, 2005 11:48 PM
Subject: STRING module


> Hi,
>
> I am trying to patch a vanilla kernel 2.6.12.5 using POM ( 
> patch-o-matic-ng-20050701 ) but I have a problem : the STRING modules is 
> not listed into base, pending or extra extensions.
>
> How can I force POM to patch my kernel with this extension ?
>
> Regards,
>
>
>
> -Alex Sirbu-
> alex@as.ro
>
>
>
> ____________________________________________________
> Test your Internet Connection with As.Ro Speed Test - 
> http://www.as.ro/bandtest/?mailref
> High website revenue with just a simple search box: 
> http://www.geenza.com/affiliates.php
>
>
>
> ____________________________________________________
> Test your Internet Connection with As.Ro Speed Test - 
> http://www.as.ro/bandtest/?mailref
> High website revenue with just a simple search box: 
> http://www.geenza.com/affiliates.php 



____________________________________________________
Test your Internet Connection with As.Ro Speed Test - http://www.as.ro/bandtest/?mailref
High website revenue with just a simple search box: http://www.geenza.com/affiliates.php

Re: STRING module

[Alex Sirbu]

It seems that the new kernel 2.6.13 will have support for Netfilter String 
extension ( 
http://www.opensubscriber.com/message/netfilter-devel@lists.netfilter.org/1974735.html ) 
. Can we expect to a improved version of this extension 
ith  --replace-string option soon ?


-Alex Sirbu-
alex@as.ro

----- Original Message ----- 
From: "Alex Sirbu" <alex@as.ro>
To: <netfilter@lists.netfilter.org>
Sent: Monday, August 29, 2005 12:03 AM
Subject: Re: STRING module


>I don't need help anymore; I've got an ugly answer by myself :
>
> # cat patch-o-matic-ng-20050701/patchlets/string/info
> Title: iptables string match
> Author: Emmanuel Roger <winfield@freegates.be>
> Status: Working, not with kernel 2.4.9
> Repository: extra
> Requires: linux < 2.6.0
>
>
> Does anybody have any idea of some similar netfilter extension ? ( string 
> match/replace )
>
>
>
> -Alex Sirbu-
> alex@as.ro
>
> ----- Original Message ----- 
> From: "Alex Sirbu" <alex@as.ro>
> To: <netfilter@lists.netfilter.org>
> Sent: Sunday, August 28, 2005 11:48 PM
> Subject: STRING module
>
>
>> Hi,
>>
>> I am trying to patch a vanilla kernel 2.6.12.5 using POM ( 
>> patch-o-matic-ng-20050701 ) but I have a problem : the STRING modules is 
>> not listed into base, pending or extra extensions.
>>
>> How can I force POM to patch my kernel with this extension ?
>>
>> Regards,
>>
>>
>>
>> -Alex Sirbu-
>> alex@as.ro
>>
>>
>>
>> ____________________________________________________
>> Test your Internet Connection with As.Ro Speed Test - 
>> http://www.as.ro/bandtest/?mailref
>> High website revenue with just a simple search box: 
>> http://www.geenza.com/affiliates.php
>>
>>
>>
>> ____________________________________________________
>> Test your Internet Connection with As.Ro Speed Test - 
>> http://www.as.ro/bandtest/?mailref
>> High website revenue with just a simple search box: 
>> http://www.geenza.com/affiliates.php
>
>
>
> ____________________________________________________
> Test your Internet Connection with As.Ro Speed Test - 
> http://www.as.ro/bandtest/?mailref
> High website revenue with just a simple search box: 
> http://www.geenza.com/affiliates.php
>
>
>
> ____________________________________________________
> Test your Internet Connection with As.Ro Speed Test - 
> http://www.as.ro/bandtest/?mailref
> High website revenue with just a simple search box: 
> http://www.geenza.com/affiliates.php 



____________________________________________________
Test your Internet Connection with As.Ro Speed Test - http://www.as.ro/bandtest/?mailref
High website revenue with just a simple search box: http://www.geenza.com/affiliates.php

Re: STRING module

[Pablo Neira]

Alex Sirbu wrote:
> It seems that the new kernel 2.6.13 will have support for Netfilter 

No, actually you'll have to wait until 2.6.14 is released.

> Can we expect to a improved version of this extension ith --replace-string option soon ?

How useful would be such feature ?

--
Pablo

Re: STRING module

[Frank]

--- Pablo NeirNeirablpablooeurodev> wrote:

> Alex SirbSirbute:
> > It seems that the new kernel 2.6.13 will have support for
> NetfNetfilter 
> No, actually you'll have to wait until 2.6.14 is released.
> 
> > Can we expect to a improved version of this extension
ith
ith--replace-string option soon ?
> 
> How useful would be such feature ?
> 
> --
> Pablo

 This option would be very useful to me. I am developing a 
bacnbacnetwireless bridge. I have to replace some data
encapsulated in the IP pIPket and relying on this feature to do
it.

> 
> 


		
____________________________________________________
Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs