On Mon, 13 Aug 2001, Paul M Foster wrote:
> ipchains -A input -p TCP -y -j DENY -d <isp gateway machine>
>
> On the surface, this doesn't look like it would affect anything.
> However, according to the firewall script comments, this has something
> to do with "stealth". According to the ipchains man page, the -y flag
> says that it only matches TCP packets with the SYN bit set and the ACK
> and FIN bits cleared. Such packets are used to initiate TCP connections.
>
> I set my wife's ftp connection to passive, and all went okay.
>
> But my question is, would denying packets like this prevent an "active"
> ftp session from occurring? If so, how?
>
I'm thinking this would deny FTP sessions because when FTP goes to
transfer data it opens a connection to your machine. So if you block all
packets that come in with SYN turned on (the frist of the 3 part handshake
of TCP) then the FTP server wont be able to open a connection to you.
However this is a good rule to have to keep from getting SYN flooded.. you
just need to modify it so that you accept connections from a particular
source port, 20 I think. I'm not sure about that source port, you might
want to check it out somewhere else..
Jason
(it's early.. no coffee.. someone please correct me if I've erred)
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:13:16 EDT