All of lore.kernel.org
 help / color / mirror / Atom feed
* --syn and NEW are same ? or ?
@ 2005-08-28  8:55 CC commmunication
  2005-08-28 20:48 ` STRING module Alex Sirbu
  0 siblings, 1 reply; 6+ messages in thread
From: CC commmunication @ 2005-08-28  8:55 UTC (permalink / raw)
  To: netfilter

Hi
I am a bit confused aobut SYN, ACK and New and Established. Please increase my knowledge by giving you little from important time. I will be very thankful for the kind consideration.
 
is there any difference between chechking --SYN  or using  NEW in iptables command,  as well as is there any difference between --ACK and Estalished ,
i am asking in the sence that , if state of TCP packet can be matched with the checking FLAG bits in tcp header then wts  new in ,,, NEW,ESTABLISHED, RELATED, 
 
 
I can just find that NEW works to check the on the following link , 
(
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -A INPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
will allow ssh connections to your firewall, and gives you the benefit of 
checking both NEW state and the SYN flag.will allow ssh connections to your firewall, and gives you the benefit of 
checking both NEW state and the SYN flag.
 
http://archives.free.net.ph/message/20020724.124732.c3fdc39e.en.html )
 
Where as in netfilter hot to is says (
 

NEW 
   
A packet which creates a new connection.

ESTABLISHED 
   
A packet which belongs to an existing connection (i.e., a reply packet, or outgoing packet on a connection which has seen replies).)

   
And further more in (

   
Taming the Wild Netfilter http://www.linuxjournal.com/article/4815

   
It says  As for the ESTABLISHED, RELATED, NEW and INVALID arguments, they are more than they appear to be. ESTABLISHED permits traffic to continue where it has seen traffic before in both directions. ESTABLISHED obviously applies to TCP connections but also to UDP traffic, such as DNS queries and traceroutes as well as ICMP pings. In fact, packets are first checked to see if the connection exists in the connection tracking table (/proc/net/ip_conntrack). If so, the chains aren't run, the original rule is applied and the packets pass. In some cases, Netfilter is faster than its predecessor because of this check. The RELATED argument covers a multitude of sins. This argument is applied to active FTP, which opens a related connection on port 20, but also applies to ICMP traffic related to the TCP connection. The NEW argument applies to packets with only the SYN bit set (and the ACK bit unse
 t). The INVALID applies to packets that have invalid sets of options, as in an XMAS tree scan.

   
) 

   
Please explain as  i want to know is what is more in NEW , Establishe drather than just checking SYN and ACK flags in tcp header... or does it maintains a state table itself, containing source and estination ip addresses and ports to track the connections passing through...


 
 
		
---------------------------------
 Start your day with Yahoo! - make it your home page 

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2005-08-29 15:19 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-08-28  8:55 --syn and NEW are same ? or ? CC commmunication
2005-08-28 20:48 ` STRING module Alex Sirbu
2005-08-28 21:03   ` Alex Sirbu
2005-08-29 10:41     ` Alex Sirbu
2005-08-29 14:12       ` Pablo Neira
2005-08-29 15:19         ` Frank

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.