From: "Hard__warE" <hard__ware@hotmail.com>
To: netfilter@lists.samba.org
Subject: Flag SYN not necessarily state NEW?
Date: Sat, 15 Jun 2002 12:35:35 +1000 [thread overview]
Message-ID: <000501c21415$544d0e40$7b0010ac@dynamicaccess.lan> (raw)
>>On Wed, 8 May 2002, Ing. Christian Ogris wrote:
>> I connect from Box A via SSH to Box B, where the firewall runs, and i
>>get the state "NEW" on the first packet.
>> Then - the first connection is still established - i connect AGAIN from
>>Box A to Box B and do NOT get the state "NEW" anymore. (So obviously
>> it's already accepted by the ESTABLISHED,RELATED -j ACCEPT rule).
>> Is this behavior correct?
>No. But so far nobody has reported such an ill-behaviour. I assume
>something is wrong in your setup/logging.
>
>Regards,
>Jozsef
I have tested this as im running SSH ans as you can see hear in the print
out of my packets that
i dont even need a Established Related Rule for SSH from the Internet or
Internaly , this is handled
by IP_conntrack moddule and so on .. :-) .
(Notice My SSH Box has its own IP on the Firewall (yet i have still
restricted access to the box as only SSH)
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
51 38424 ACCEPT all -- * eth0 172.16.0.22
172.16.0.0/16
/> netstat -C
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 yes-dave.dynamicacc:ssh 172.16.0.123:2867
ESTABLISHED
Active UNIX domain sockets (w/o servers)
&
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 yes-dave.dynamicacc:ssh 172.16.0.123:2872
ESTABLISHED
tcp 0 0 yes-dave.dynamicacc:ssh 172.16.0.123:2871
ESTABLISHED
tcp 0 0 yes-dave.dynamicacc:ssh 172.16.0.123:2867
ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
when i connect the first time (have not logged on yet) my SSH server says
the connecttion is already
ESTABLISHED and not NEW , and thats the same for evey connection after this
. The reason behind this is
SSH needs to establish a ESTABLISHED connection to the server before any
data is correctly Encrypted .. :D
next reply other threads:[~2002-06-15 2:35 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-06-15 2:35 Hard__warE [this message]
2002-06-15 12:33 ` Flag SYN not necessarily state NEW? Matthew Hellman
2002-06-15 14:52 ` Chris
2002-06-15 12:35 ` default gateway problem Kumar
2002-06-15 12:48 ` Antony Stone
2002-06-15 21:57 ` Flag SYN not necessarily state NEW? Jozsef Kadlecsik
2002-06-16 18:04 ` Geog Hofstetter
2002-06-16 18:30 ` Antony Stone
2002-06-16 19:20 ` [x] - " Geog Hofstetter
[not found] <20020507115906.8B112471A@lists.samba.org>
2002-05-08 6:45 ` Ing. Christian Ogris
2002-06-14 11:17 ` Jozsef Kadlecsik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='000501c21415$544d0e40$7b0010ac@dynamicaccess.lan' \
--to=hard__ware@hotmail.com \
--cc=netfilter@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.