Is this rule worthwhile??
Taso Hatzi
taso@esands.com
Mon, 28 Jan 2002 22:25:21 +1100
Patrick Schaaf wrote:
>
> > Oscar Andreasson's sample scripts make use of the following rule
> > to drop suspect incomming packets.
> >
> > " -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP"
>
> This rule allows only SYN packets (beginnings of new TCP connections)
> for unknown (state NEW) connections. If this is your goal, the rule
I understand the intent of the rule. The problem is that
appears to not work as expected/
> makes sense. If you like a freshly booted (or conntrack-module-reloaded)
> box to pick up existing connections on the fly, that rule bites you.
>
I'm getting a steady stream of log entries under normal operating
conditions - ie the firewall has been running continuously.
> > That rule produces lots of log entries on what seem to be the
> > tail end of TCP connections (ie ACK FIN flags are set).
>
> Huh? A DROP rule producing logging entries? Please be a lot more
> specific.
>
The matching packets are being LOG'd first & then DROP'd.