* Help needed with Connection tracking!!!
[not found] <4293543d.58d9493d.63ba.000cSMTPIN_ADDED@mx.gmail.com>
@ 2005-05-24 16:27 ` Visham Ramsurrun
2005-05-24 21:32 ` Jason Opperisano
0 siblings, 1 reply; 2+ messages in thread
From: Visham Ramsurrun @ 2005-05-24 16:27 UTC (permalink / raw)
To: netfilter
Hi to all,
I badly need some help with this one..
I wanted to know what happens when a stateful firewall receives a SYN
packet from client A and the next packet received by the firewall is
not the SYN/ACK packet from server B but rather the first data packet
for the same connection from server B. Let's assume that the SYN/ACK,
the ACK and the first data request packet arrived to their respective
destinations through some other route. Is the connection considered as
ESTABLISHED at that point on the firewall, which has seen traffic in
both directions?
If the answer to the above is no, would the connection be considered
as ESTABLISHED if the default behaviour of ip_conntrack was used?
Any input will be very much appreciated..
Warm regards,
Visham
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Help needed with Connection tracking!!!
2005-05-24 16:27 ` Help needed with Connection tracking!!! Visham Ramsurrun
@ 2005-05-24 21:32 ` Jason Opperisano
0 siblings, 0 replies; 2+ messages in thread
From: Jason Opperisano @ 2005-05-24 21:32 UTC (permalink / raw)
To: netfilter
On Tue, May 24, 2005 at 08:27:42PM +0400, Visham Ramsurrun wrote:
> Hi to all,
>
> I badly need some help with this one..
>
> I wanted to know what happens when a stateful firewall receives a SYN
> packet from client A and the next packet received by the firewall is
> not the SYN/ACK packet from server B but rather the first data packet
> for the same connection from server B.
it should be marked as INVALID.
> Let's assume that the SYN/ACK,
> the ACK and the first data request packet arrived to their respective
> destinations through some other route. Is the connection considered as
> ESTABLISHED at that point on the firewall, which has seen traffic in
> both directions?
ESTABLISHED does not mean "i have seen traffic in both directions." it
means "i have seen packets in the proper directions that transition from
the NONE to ESTABLISHED state." the states according to
ip_conntrack_proto_tcp.c:
NONE: initial state
SYN_SENT: SYN-only packet seen
SYN_RECV: SYN-ACK packet seen
ESTABLISHED: ACK packet seen
> If the answer to the above is no, would the connection be considered
> as ESTABLISHED if the default behaviour of ip_conntrack was used?
what on earth do you mean by this statement?
> Any input will be very much appreciated..
pretend you're on a 2.2 linux kernel with ipchains and write stateless
rules. ip_conntrack is there to protect you. those that are bothered by
its protection deserve neither its protection, nor its convenience.
-j
--
"Stewie: It rubs the lotion on its skin or else it gets the hose again."
--Family Guy
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-05-24 21:32 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <4293543d.58d9493d.63ba.000cSMTPIN_ADDED@mx.gmail.com>
2005-05-24 16:27 ` Help needed with Connection tracking!!! Visham Ramsurrun
2005-05-24 21:32 ` Jason Opperisano
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.