Stateful filtering and a bug in Makefile
Tommi Virtanen
tv@havoc.fi
Fri, 29 Oct 1999 16:57:39 +0300
On Fri, Oct 29, 1999 at 11:26:44PM +1000, Graham Murray wrote:
> > Hi. Is anyone working on stateful filtering (conntracking
> > and accept only those packets relating to outgoing connections)?
> > I want to avoid duplicate work..
> Will rules like the following not do this? (Probably with some logging
> rules added as well)
>
> insmod ip_conntrack
> iptables -A INPUT -p tcp --syn -j DROP
> iptables -A INPUT -p tcp -m state --state ! ESTABLISHED -j DROP
Hmm. Is state really at that stage already?
I mean if I set those rules and send a random non-SYN packet,
it won't get through? Sounds good. Whoa. I had no idea
you guys were this far. Thank you.
--
Havoc Consulting | unix, linux, perl, mail, www, internet, security consulting
+358 50 5486010 | software development, unix administration, training