IPTABLES - NEW packets but no SYN bit set

18th April 2006, 02:09 PM
Been reading up on connection tracking....

As I understand it, iptables allows state NEW packets with the SYN bit unset to get through.

Why is there not a default entry like this in the config file ?
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Thanks !

18th April 2006, 03:15 PM
Use a proper firewall configuration tool as shorewall (http://shorewall.net). Don't rely upon the default iptables service to provide security, especially if you need to expose services to the Internet.