TCP and SYN packets

From: Matt Kowske (jmkowske@students.wisc.edu)
Date: 12/11/01 

From: Matt Kowske <jmkowske@students.wisc.edu>
To: Linux security list <security-discuss@linuxsecurity.com>
Date: 10 Dec 2001 17:30:14 -0600

Hello all,

I am trying to setup a firewall, and have read and seen in some firewall
scripts lines similar this:

iptables -A <chain> -p tcp ! --syn -m state --state NEW -j DROP

This lane basically says, as I understand it, that all new packets that
are not of the "SYN" state will be dropped. I've read that it is TCP
protocol to always first send a SYN packet to establish the connection
and so any connection that first sends a packet that is NOT of the SYN
state, should be dropped because it is suspicious of something bad going
on. This made sense to me at first, but I have been logging any of
these "new, but no syn packet" packets for about a week now, and get
them quite frequently from a wide variety of respectable websites. I
doubt these domains are trying to hack me and so I'm wondering if this
is normal and I shouldn't be dropping these packets. It doesn't seem to
affect any connections by dropping these packets. Anyone know what's
going on here? Thanks in advance.

-Matt Kowske

------------------------------------------------------------------------
     To unsubscribe email security-discuss-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.