On Fri, 2002-03-22 at 18:15, David Talkington wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Mike Burger wrote: > > >> Why am I getting this error? In my /etc/sysconfig/ipchains script, I > >> have: > >> -A input -p tcp -s 0/0 -d 0/0 2401 -y -j ACCEPT > >> > >> Where am I going wrong? > > > >Try -A INPUT -i eth0 -p tcp --dport 2401 -j ACCEPT > > > >The --dport is important. > > No, he had that part right, Mike; note that this is ipchains, not > iptables ... the part I think we should examine is the -y. This rule > _only_ matches packets with the SYN bit set. > > Kevin, if this rule is on the server, the -y should be dropped. If it's > on the client, you probably meant ' ! -y ', don't you think?
No, -y is correct as well. Most ipchains/iptables scripts focus on controlling access by dropping TCP packets with the SYN bit and UDP packets in general. TCP packets *without* the SYN bit would be dropped anyway if they aren't part of an established connection. I just woke up from a nap, so I can't remember why focus is directed to TCP packets with the SYN flag rather than TCP packets in general.
signature.asc
Description: This is a digitally signed message part
