From mboxrd@z Thu Jan 1 00:00:00 1970 From: Robert Nichols Subject: Re: block + kill connections Date: Sun, 08 Jan 2006 20:47:16 -0600 Message-ID: References: <3b29fb790601081344me985167p9c06cf286126ffdb@mail.gmail.com> <200601081618.01364.rob0@gmx.co.uk> <200601081720.11675.rob0@gmx.co.uk> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <200601081720.11675.rob0@gmx.co.uk> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii"; format="flowed" To: netfilter@lists.netfilter.org /dev/rob0 wrote: > On Sunday 2006-January-08 16:18, I wrote: > >>On Sunday 2006-January-08 16:04, Robert Nichols wrote: >> >>>>iptables -I INPUT -s 1.2.3.4 -j DROP >>> >>>That will prevent communication by blocking any further incoming >>>packets, but won't do anything to tear down the connection. See > > > Yes, you're right, sorry. I read too quickly. You're saying this: > > >>... or simply that a blocked connection has not yet >>timed out of conntrack or netstat listings. > > > ... and you're right, the REJECT will tell the other end that the > connection is terminated. But I doubt that the local side will show > anything different in conntrack or netstat, unless a corresponding > REJECT rule was used in OUTPUT. What typically happens is that as soon as the local side transmits any packet on the half-closed connection, the far end responds with its own TCP RESET, and the "--tcp-flags ! FIN,RST NONE" matcher in my suggested rule allows any packet with a RST or FIN flag to get through. -- Bob Nichols Yes, "NOSPAM" is really part of my email address.