go figure on the google bit. All my queries had 'iptables' included, and I guess that sent my google hits in the wrong direction. Thanks for finding that! [Why is it always something stupid preventing me from finding what I need in google?]
moving along, an example howto that uses --tcp-option is the following: http://www.yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.html this tutorial was linked directly off of netfilter.org, so I assumed that this tutorial had at least some credibility. It does cover the basics fairly well, it just lacks details in some areas given what I see so far, it looks as if I don't really need the line. I am not setting up a paranoid firewall, and the remainder of the tutorial covers basically all I need. so at this point, I'm still somewhat curious about it, but am no longer interested in it for production purposes... thanks for the quick reply! I'm always glad that I can count on the debian support groups to help me out if I get stuck with something. -doug ----- Original Message ----- From: "Bernd Eckenfels" <[EMAIL PROTECTED]> To: "Doug" <[EMAIL PROTECTED]> Cc: <debian-firewall@lists.debian.org> Sent: Tuesday, August 23, 2005 5:25 PM Subject: Re: iptables --tcp-option ! 2 > On Tue, Aug 23, 2005 at 04:44:02PM -0700, Doug wrote: > > I keep seeing this in firewall scripts on the net, but I am unable to find > > an explanation or listing/table of > > tcp-options. > > The command in question is the following > > > > iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset > > if you google for "tcp options" the first hit is: > > http://www.iana.org/assignments/tcp-parameters > > Kind Length Meaning Reference > ---- ------ ------------------------------- --------- > 0 - End of Option List [RFC793] > 1 - No-Operation [RFC793] > 2 4 Maximum Segment Size [RFC793] > 3 3 WSOPT - Window Scale [RFC1323] > ... > > And I am not sure when the above rule makes sense. It looks inverted: > > The protocol reqires this option only in the SYN segments, so perhaps this > is a missguided try to filter those? What i see in some tutorials is, that > you accept syn packets before, and then you can reject all packets which > have the option, because they are no SYN Segments. > > BTW: ipt_unclean is also filtering some option 2 missuse. But that is aimed > at the content, not only the presence. > > > I'm sure it's safe, and likely a good idea to have in, given the number of > > tutorials that have it in, but I just dislike the idea of having something > > in my to be firewall script that I have little understanding of. > > Can you point us to an tutorial which has this in and does not explain it? > Especially the one where this rule makes sense. > > Gruss > Bernd > -- > (OO) -- [EMAIL PROTECTED] -- > ( .. ) [EMAIL PROTECTED],linux.de,debian.org} http://www.eckes.org/ > o--o 1024D/E383CD7E [EMAIL PROTECTED] v:+497211603874 f:+49721151516129 > (O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl! > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]