alt Hacker NewsI've seen plenty of firewall rulesets over the past 25 years which only consult state after doing some initial stateless inspection.
I don't have a convenient source though.
I've seen plenty of firewall rulesets over the past 25 years which only consult state after doing some initial stateless inspection.
I don't have a convenient source though.
Sanity checks, sure, but SYN,!ACK packets cannot be rejected before the conntrack for obvious reasons.
> Plenty of setups block incoming SYN,!ACK packets
Nowhere close to being "plenty". It's doable, but this is extremely niche.