iptables
From: Bill K. (bilkay@xxxlocalnet.com)
Date: 01/28/03
- Next message: David: "Re: Curious messages"
- Previous message: dan sawyer: "Re: unidentified process"
- Next in thread: Bill K.: "Re: iptables"
- Reply: Bill K.: "Re: iptables"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Bill K." <bilkay@xxxlocalnet.com> Date: Tue, 28 Jan 2003 18:27:44 GMT
I'm using a slightly modified version of the "firewall" script found at:
http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial.html
Sample script I.2
I've noticed that sometimes after a connection terminates, there are a lot
of packets showing up in the log coming from:
#
# bad_tcp_packets chain
#
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
Question:
Would it be better to change the "DROP" line to:
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j REJECT \
--reject-with tcp-reset
Would this introduce a new, possibly worse problem?
Is there a better way?
Thanks
- Next message: David: "Re: Curious messages"
- Previous message: dan sawyer: "Re: unidentified process"
- Next in thread: Bill K.: "Re: iptables"
- Reply: Bill K.: "Re: iptables"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
