On Thu, 21 Jun 2001, Reckhard, Tobias wrote:
> I don't see where control of the SYN bit helps in getting rid of
> doubleclick,
Consider this:
ipchains -A output -y -d ad.doubleclick.net -j DENY
or, in plain english (for anyone not familiar with IPchains syntax):
deny all outgoing packets to ad.doubleclick.net that have the SYN bit
set.
> The sender completes the three-way handshake with a 'standard' TCP
> segment,
This third packet in the three-way handshake is ACK SYN ACK (though I'm
not 100% sure how it differs from the second packet [ACK SYN]), after
which, like you said, the actual data traffic begins.
> Now, the second segment in this sequence, i.e. the first one
> travelling from connection recipient to original sender *has the SYN
> bit set*. So, [snip] then you'd effectively block this second segment
> of the three-way handshake [snip]
Ah, true. Didn't think all the way through it. So, to make (rational)
use of denying packets with SYN bit set you really should make the rules
based on IP/netmask and/or traffic direction instead of denying to/from
everywhere.
> Still, I'd rather sit behind an ipchains or iptables box, which (BTW)
> I still prefer to call packet filters if that's all there is on the
> box, than have a direct connection to the Internet.
Agreed.
.pi.
--
Petteri Lyytinen + [EMAIL PROTECTED] + http://www.cs.tut.fi/~typo/
"Close friends are the true angels who lift you up on your feet when
your wings don't remember how to fly."
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
