"New TCP Must Be SYN" - should it be applied to fo

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
MonarchX
DD-WRT User


Joined: 26 Sep 2009
Posts: 119

PostPosted: Tue Jun 22, 2021 17:29    Post subject: "New TCP Must Be SYN" - should it be applied to fo Reply with quote
"New TCP Must Be SYN" (-p tcp ! --syn -m conntrack --ctstate NEW -j DROP) is a rule often applied to INPUT tables to improve firewall security by reducing ACK scanning. Does it make sense to apply the same rule to FORWARD tables?
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Wed Jun 23, 2021 8:16    Post subject: Reply with quote
I think it is used for port/firewall probing of routers firewall so this attack will not penetrate the firewall e.g. not necessary/useful on FORWARD chain I guess
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum