I'm trying to understand what's going on here My goal is log everything that hits the external interface, except the body of file transfers and lengthy web sites.
Here's what I THINK I'm doing: Step 1 accepts everything previously established. Step 2 logs and drops NEW non connections, those should be really bad packets Step 3 logs all (external port) tcp connections and all non tcp. I think this is working pretty well. BUT I see some "IP New non SYN" in the log, whenever I do web browsing thru the router. These I don't get. Step 1 # ALLOW ALL replies to established connections $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT Step 2 # LOG and DISALLOW BAD TCP packets, NEW non connections $IPT -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "IP New non SYN: " $IPT -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "IP New non SYN: " $IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP $IPT -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP Step3 # INSERT LOGGING RULES $IPT -A INPUT -i $XT_DEVICE -p tcp --syn -j LOG --log-prefix "TCP LOG: " $IPT -A FORWARD -i $XT_DEVICE -p tcp --syn -j LOG --log-prefix "TCP LOG: " $IPT -A INPUT -i $XT_DEVICE -p ! tcp -j LOG --log-prefix "IP LOG: " $IPT -A FORWARD -i $XT_DEVICE -p ! tcp -j LOG --log-prefix "IP LOG: " ------------------------------------------------------- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
