James B. Byrne <byrnejb at ...> writes: > > Would someone please explain to me the difference in effect between > the following two IPTABLES conditions and the significance thereof in > concurrent connection limiting? > > --tcp-flags SYN,ACK,FIN,RST SYN -j REJECT \ > --connlimit-above 3 --connlimit-mask 32 > > --state NEW -j REJECT \ > --connlimit-above 3 --connlimit-mask 32 > Your first example will review only TCP packets and ensure out of SYN,ACK,FIN, and RST the only flag set is SYN (it doesn't care about the URG flag). The --state NEW example on the other hand matches ANY new packet. This will capture protocols including OSPF, UDP, etc.. An easy way to see what it captures is to set the target to LOG: [13982781.141620] IN= OUT=homework0 SRC=192.168.254.2 DST=224.0.0.5 LEN=84 TOS=0x00 PREC=0xC0 TTL=1 ID=64815 PROTO=89 [13982784.953439] IN= OUT=br0 SRC=192.168.2.206 DST=8.8.8.8 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=65012 PROTO=UDP SPT=58492 DPT=53 LEN=43 I hope that's of help to you, Matthew Gillespie CTI Networks