"Reckhard, Tobias" <[EMAIL PROTECTED]> writes:
>Now on to your ipchains question. Actually, '-y' means 'SYN bit set'
>and '! -y' means 'SYN bit cleared', but that is wrong, otherwise the
>TCP three-way handshake would never complete. Instead, it probably
>means 'only SYN set' or perhaps even 'SYN set, FIN and ACK cleared'.
Let me see if I can clarify.
'!' is a general negation operator in ipchains.
Hence, if '-y' means 'match all packets with the SYN bit set and the ACK
and FIN bits cleared', then '! -y' is its negation, ie. 'match all
packets other than those matched by -y, ie. those which either have the
SYN bit cleared or one or both of FIN and ACK set.'
By blocking incoming tcp packets with the SYN bit set and FIN/ACK
cleared ('-y'), you prevent the establishment of incoming connections
(by virtue of blocking the first packet in a TCP connection set-up
attempt).
By accepting incoming tcp packets which do NOT have the SYN bit set etc.
('! -y'), you permit incoming traffic on previously established
connections (presumably ones initiated locally) and the incoming
response packets required to establish outgoing connections (which
contain SYN but also ACK, and therefore don't match -y).
The result is that you can establish outgoing tcp connections and
traffic can pass back and forth, but new incoming tcp connections are
blocked.
This is probably what you want unless you are also running services on
specific ports behind your firewall which external hosts need to
connect to (e.g. HTTP on port 80). You should configure these ports
as special cases.
David.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
