State Match Question

Linux Netfilter discussions
 help / color / mirror / Atom feed

* State Match Question
@ 2002-06-06 19:44 Paul Dunphy
  2002-06-06 20:17 ` Guillaume Morin
  0 siblings, 1 reply; 2+ messages in thread
From: Paul Dunphy @ 2002-06-06 19:44 UTC (permalink / raw)
  To: netfilter

Could some kind soul please explain to me (or point me to information 
about) what the difference is between filtering on state ESTABLISHED in 
iptables and filtering on ! --syn? In other words, what's the difference 
between saying

iptables -A FORWARD -p tcp -m state --state ESTABLISHED -j ACCEPT

and saying,

iptables -A FORWARD -p tcp ! --syn -j ACCEPT

My apologies if this has been discussed before - I am new to the list (and 
to iptables :)

Thanks,
Paul


---------------------------------------------------------------------
Paul T. Dunphy, P.Eng.
Systems Administrator/Research Engineer
Centre for the Study of Commercial Activity
Ryerson University
Toronto, Ontario, CANADA
E-mail: pdunphyATcsca.ryerson.ca



^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: State Match Question
  2002-06-06 19:44 State Match Question Paul Dunphy
@ 2002-06-06 20:17 ` Guillaume Morin
  0 siblings, 0 replies; 2+ messages in thread
From: Guillaume Morin @ 2002-06-06 20:17 UTC (permalink / raw)
  To: Paul Dunphy; +Cc: netfilter

Hi Paul,

Dans un message du 06 jun à 15:44, Paul Dunphy écrivait :
> Could some kind soul please explain to me (or point me to information 
> about) what the difference is between filtering on state ESTABLISHED in 
> iptables and filtering on ! --syn? In other words, what's the difference 
> between saying
> 
> iptables -A FORWARD -p tcp -m state --state ESTABLISHED -j ACCEPT
> 
> and saying,
> 
> iptables -A FORWARD -p tcp ! --syn -j ACCEPT

In the first rule, you let only pass valid TCP packets correponding to a
established connection e.g a ack packet during the connection, a syn/ack
packet during the TCP handshake, a fin/ack at the end of a connection.

The second let every non SYN packet pass. That includes the packets
which are matched by the first rule of course. But invalid packets in
the sense of the connection state (a syn/ack packet without a previoous
syn packet) and packets with nasty flags (NULL, XMAS...) will pass.
That is bad. Always use the state and avoid matching yourself the TCP
flags. Matching both can be interesting e.g -m state --state NEW --syn.

HTH.

-- 
Guillaume Morin <guillaume@morinfr.org>

      A friend in need is a friend indeed. A friend who bleeds is better.
         My friend confessed, she passed the test. We will never sever.
                                   (Placebo)

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2002-06-06 20:17 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-06-06 19:44 State Match Question Paul Dunphy
2002-06-06 20:17 ` Guillaume Morin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox