From: Martijn Klingens <mklingens@ism.nl>
To: netfilter@lists.netfilter.org
Subject: Re: new tcp connections, without SYN
Date: Wed, 9 Apr 2003 14:31:22 +0200 [thread overview]
Message-ID: <200304091431.22200.mklingens@ism.nl> (raw)
In-Reply-To: <1049887993.22720.3.camel@elendil.intranet.cartel-securite.net>
On Wednesday 09 April 2003 13:33, Cedric Blancher wrote:
> Le mer 09/04/2003 à 13:16, Carlos Ble a écrit :
> > Hi all. Two days ago, i added the policy that drops all new tcp
> > connections
> > that starts without SYN to prevent port scaners and other attacks:
> > iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
> > --log-prefix "NEW tcp try no SYN:"
> > iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
>
> You can add RELATED state to this :
>
> iptables -A bad_tcp_packets -p tcp ! --syn -m state \
> --state NEW,RELATED -j DROP
That doesn't necessarily help though.
Our firewall also has a 'new, not syn' filter and it gets hit a LOT. On
average about 20% of all blocked packets. Another 20% are unexpected RSTs
(i.e. RST that's cannot be mapped to a RELATED or ESTABLISHED connection.)
It has been like this for quite some months, and everything works as expected
but we never found the cause of these new not syns and unexpected resets.
(Yes, related traffic _is_ properly accepted, so that can't be the case.)
--
Martijn
next prev parent reply other threads:[~2003-04-09 12:31 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-04-09 11:16 new tcp connections, without SYN Carlos Ble
2003-04-09 11:33 ` Cedric Blancher
2003-04-09 12:31 ` Martijn Klingens [this message]
2003-04-09 14:36 ` Cedric Blancher
-- strict thread matches above, loose matches on Subject: below --
2003-04-09 13:00 dhiraj.2.bhuyan
2003-04-09 13:06 ` Cedric Blancher
2003-04-09 14:58 ` Martijn Klingens
2003-04-09 14:00 ` Martin Josefsson
2003-04-09 16:04 dhiraj.2.bhuyan
2003-04-10 8:48 ` Cedric Blancher
2003-04-10 17:53 ` Rahul Jadhav
2003-04-11 8:37 ` Cedric Blancher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200304091431.22200.mklingens@ism.nl \
--to=mklingens@ism.nl \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox