> If this is the case, you can configure your firewall to block all incoming SYN+ACK packets > that are not in response to an outgoing SYN packet. This would be pretty straightforward in > the ipf or pf firewalls; it might be straightforward with iptables as well. I'm hoping my > response will help you find some appropriate documentation..
Under iptables the state switch does this for you. Example your allows look like: #inbound ssh allow iptables -A FORWARD -i $EXTIF -p tcp -s X.X.X.0/24 -d X.X.X.X/32 --dport 22 -m state --state NEW -j ACCEPT #allow ntp access iptables -A INPUT -i $EXTIF -p udp -s X.X.X.X/32 --dport 123 -m state --state NEW -j ACCEPT #allow packets related to existing connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #drop all other packets iptables -A INPUT -j DROP iptables -A FORWARD -j DROP iptables -A OUTPUT -j DROP Hope this helps. -Shane
