Re: conntrack-tools 0.9.14 can not block the connection

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>,
	Jan Engelhardt <jengelh@medozas.de>,
	Richard Feng <rfeng@wurldtech.com>,
	"netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Re: conntrack-tools 0.9.14 can not block the connection
Date: Mon, 10 May 2010 01:16:28 +0200	[thread overview]
Message-ID: <4BE7424C.9020108@netfilter.org> (raw)
In-Reply-To: <alpine.DEB.2.00.1005082227270.30449@blackhole.kfki.hu>

[-- Attachment #1: Type: text/plain, Size: 808 bytes --]

Jozsef Kadlecsik wrote:
> On Fri, 7 May 2010, Pascal Hambourg wrote:
> 
>>> I think what was really meant was tcp_loose, not tcp_be_liberal.
>> In my understanding, tcp_loose only allows conntrack to pick up
>> connections from the middle, but packets are still INVALID until the
>> required number of packets is seen and accepted. Am I wrong ?
> 
> No, the packets are set to the usual states, there's no packet counting.
> 
> With tcp_loose enabled (default) conntrack accepts non-SYN packets as 
> "NEW" ones, i.e. attempts to pick up connections from the middle.
> 
> With tcp_be_liberal enabled (default is disabled) out of window packets 
> are not marked as INVALID.

I have applied the following patch to the documentation based on this
discussion. I have also uploaded a new version of the webpage.

[-- Attachment #2: f.patch --]
[-- Type: text/x-patch, Size: 1867 bytes --]

doc: description on how to block traffic with conntrack was incomplete

From: Pablo Neira Ayuso <pablo@netfilter.org>

This patch completes the documentation with the following discussion
that took place in the mailing list.

http://marc.info/?l=netfilter&m=127335152521674&w=2

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 doc/manual/conntrack-tools.tmpl |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/doc/manual/conntrack-tools.tmpl b/doc/manual/conntrack-tools.tmpl
index b897318..ab4e5fb 100644
--- a/doc/manual/conntrack-tools.tmpl
+++ b/doc/manual/conntrack-tools.tmpl
@@ -19,7 +19,7 @@
   </authorgroup>
 
   <copyright>
-   <year>2008</year>
+   <year>2008-2010</year>
    <holder>Pablo Neira Ayuso</holder>
   </copyright>
 
@@ -198,7 +198,12 @@ conntrack v0.9.7 (conntrack-tools): 1 flow entries have been shown.
 conntrack v0.9.7 (conntrack-tools): 1 flow entries has been updated.
  </programlisting>
 
-<para>Delete one entry, this can be used to block traffic (you have to set <emphasis>/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal</emphasis> to zero).</para>
+<para>Delete one entry, this can be used to block traffic if:</para>
+<itemizedlist>
+ <listitem><para>You have a stateful rule-set that blocks traffic in INVALID state.</para></listitem>
+ <listitem><para>You have to set <emphasis>/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose</emphasis> or <emphasis>/proc/sys/net/netfilter/nf_conntrack_tcp_loose</emphasis>, depending on your kernel version, to zero.</para></listitem>
+</itemizedlist>
+
 <programlisting>
  # conntrack -D -p tcp --dport 3486
  tcp      6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=1 secmark=0 use=1

next prev parent reply	other threads:[~2010-05-09 23:16 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-05-06 23:51 conntrack-tools 0.9.14 can not block the connection Richard Feng
2010-05-07  7:55 ` Jan Engelhardt
2010-05-07  8:49   ` Rob Sterenborg
2010-05-07  9:50     ` Jan Engelhardt
2010-05-07 16:17   ` Richard Feng
2010-05-07 16:27     ` Jan Engelhardt
2010-05-07 19:13       ` Pablo Neira Ayuso
2010-05-07 19:14         ` Pablo Neira Ayuso
2010-05-07 19:46           ` Jan Engelhardt
2010-05-07 20:13             ` Pascal Hambourg
2010-05-08 20:33               ` Jozsef Kadlecsik
2010-05-08 20:39                 ` Jan Engelhardt
2010-05-10 11:11                   ` Pascal Hambourg
2010-05-09 23:16                 ` Pablo Neira Ayuso [this message]
2010-05-07  9:57 ` Pascal Hambourg
2010-05-07 16:22   ` Richard Feng
2010-05-07 18:51     ` Pascal Hambourg
2010-05-07 19:04       ` Richard Feng

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:b897318 dfblob:ab4e5fb )
 OR (
bs:"Re: conntrack-tools 0.9.14 can not block the connection" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4BE7424C.9020108@netfilter.org \
    --to=pablo@netfilter.org \
    --cc=jengelh@medozas.de \
    --cc=kadlec@blackhole.kfki.hu \
    --cc=netfilter@vger.kernel.org \
    --cc=pascal.mail@plouf.fr.eu.org \
    --cc=rfeng@wurldtech.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.