From: "Andrew Hall" <temp02@bluereef.com.au>
To: "'Eric Leblond'" <eric@inl.fr>
Cc: netfilter-devel@lists.netfilter.org
Subject: RE: conntrack clarification
Date: Mon, 6 Aug 2007 18:54:29 +1000 [thread overview]
Message-ID: <24966838.281186390464437.JavaMail.root@localhost> (raw)
In-Reply-To: <3434740.221186389567173.JavaMail.root@localhost>
> This is linked with your ruleset. The point to consider is that for the
> conntrack NEW is not equivalent to SYN packet for TCP. If you only
> filter on NEW, then packet from the previously existing connection will
> be classified as NEW and trigger the creation of a new valid entry.
This is true, but how? I no longer have a "new" rule to allow connection. Here's the logic of what I'm trying to do:
1. First, set up SSH connection with the following ruleset:
- add a rule matching "established and related" connections to be allowed
- add a rule matching "new" connections from host for SSH to be allowed
- Policy is drop all
2. SSH is connected from host running 'top' to keep the session active
3. delete the "new" connection rule and 'conntrack -F' to flush the existing connections.
At this point I would have thought the conntrack table doesn't know the existing connection is "established" because the table entry is gone and without the "new" rule providing connection establishment, the session should be lost?
"Blue Reef disclaimer: This electronic message transmission contains information that is confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution, or use of the contents of this information is prohibited. If you have received this transmission in error, please notify us by telephone immediately."
Scanned by Sonar.
Date: 2007-08-06 18:54:24
From: temp02@bluereef.com.au
To: netfilter-devel@lists.netfilter.org
Mail id: challenge-63904640371
next parent reply other threads:[~2007-08-06 8:54 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <3434740.221186389567173.JavaMail.root@localhost>
2007-08-06 8:54 ` Andrew Hall [this message]
2007-08-06 9:07 ` conntrack clarification Jan Engelhardt
2007-08-06 10:27 ` Krzysztof Oledzki
[not found] ` <8883276.421186396148778.JavaMail.root@localhost>
2007-08-07 4:00 ` Andrew Hall
2007-08-06 12:37 ` Pascal Hambourg
[not found] <29656818.1521186459222779.JavaMail.root@localhost>
2007-08-07 8:08 ` Andrew Hall
2007-08-07 9:42 ` Pascal Hambourg
2007-08-06 8:31 Andrew Hall
2007-08-06 8:38 ` Eric Leblond
-- strict thread matches above, loose matches on Subject: below --
2007-08-06 0:17 Conntrack clarification Andrew Hall
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=24966838.281186390464437.JavaMail.root@localhost \
--to=temp02@bluereef.com.au \
--cc=eric@inl.fr \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.