Hello, after some discussion on the list on using unclean match i come to the notion that this match would be great if it had some options to match.
In my opinion these rules may sometimes violate the RFCs and sometimes be an inadequate protection, look at this: # iptables -A INPUT -m unclean -j DROP or # iptables -A INPUT -m unclean -j REJECT If the packet matched by UNCLEAN match has invalid checksum it should be replied with icmp parameter problem, not with icmp dest unreachables. Another example: # iptables -A INPUT -p tcp -m unclean -j REJECT --reject-with tcp-reset Again, this works great for XMAS, NULL, FIN, etc scans but if the packet matched has something else wrong with it, not the flags, the TCP RST packet is an incorrect way to react. What I recommend (request/plead) is the this to be possible. # iptables -A INPUT -p tcp -m unclean --unclean tcp-flags -j REJECT \ --reject-with tcp-reset # iptables -A INPUT -m unclean --unclean hd-cksum ... # iptables -A INPUT -m unlcean --unclean something else ... that way we would be able to: - configure our router to react in a way compliant with the standard - make ourselves more secure, - improve the overall versatility of netfilter and maybe making one step towards the ISAC firewall ratings (or what it is called, i do not remember, someone had asked about something like a proof of quality for netfilter) What do you think ? Best Regards, Maciej Soltysiak
