seberino@spawar.navy.mil schrieb:
> Please explain these:
>
> $IPTABLES -t filter -A INPUT -p tcp --tcp-flags ACK,FIN FIN   -j DROP
> $IPTABLES -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH   -j DROP
> $IPTABLES -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG   -j DROP
> $IPTABLES -t filter -A INPUT -p tcp --tcp-flags ALL     NONE  -j DROP
>
> Do first 3 imply you must send ACK when you send a FIN, PSH or URG?
>
> And does last mean you must set *some* TCP flag always?
>
> CS
>
>
Exactly. The first 3 rules are used for dropping packets which have set
FIN, PSH and URG but without a set ACK-flag. The last one prevents empty
packets (none flag set) to enter your network.
As often such packets are used by portscans it is useful to drop them.
Jason posted a link some time ago with a list of rules to perform tcp
checks http://www.stearns.org/modwall/sample/tcpchk-sample

--

PGP-ID 0xF8EAF138