On Tue, 4 Jul 2006, martin f krafft wrote: > also sprach Rene Mayrhofer <[EMAIL PROTECTED]> [2006.07.04.1013 +0200]: > > That must be connection pickup. At > > http://iptables-tutorial.frozentux.net/iptables-tutorial.html > > search for "pickup". > > Excellent pointer, and yet another reason why we should really be > looking for alternatives to the Linux kernel. > > The default, without the tcp-window-tracking patch, is to have > this behaviour, and is not changeable.
Oskar's tutorial is really excellent, alas at some point it's outdated. First, in the 2.6 kernel tree, you can disable connection pickup via sysctl. Second, you can setup your rules anytime, regardless of 2.4/2.6, which disables connection pickup. For example: iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 --syn -j ACCEPT Best regards, Jozsef - E-mail : [EMAIL PROTECTED], [EMAIL PROTECTED] PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
