Re: "selective" connection tracking?

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Michael Renzmann <mrenzmann@otaku42.de>
To: Cedric Blancher <blancher@cartel-securite.fr>
Cc: netfilter@lists.netfilter.org
Subject: Re: "selective" connection tracking?
Date: Fri, 31 Oct 2003 11:47:19 +0100	[thread overview]
Message-ID: <3FA23DB7.3010300@otaku42.de> (raw)
In-Reply-To: <1067591422.812.13.camel@elendil.intranet.cartel-securite.net>

Hi Cedric.

First of all thanks for your answer.

Cedric Blancher wrote:
> However, you can use raw table that is available in patch-o-matic. This
> will imply iptables and kernel compilation. raw table is prior to
> conntrack subsystem and allows you to choose wether a packet has to go
> through conntrack or not, using NOTRACK target :
> 
> 	iptables -t raw -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 \
> 		-j NOTRACK
[...]

Thanks for the tip, I think this will do. We already use a bunch of the 
pom-patches, and if I remember correctly the RAW-patch has already been 
applied.

> Note that if you do not conntrack a connection, you loose all conntrack
> capabilities such as ICMP errors handling, helpers and NAT (as
> Netfilter's NAT relies on conntrack).

Just to be sure: it will still be possible to use conntrack for traffic 
that it targeted to the router itself, while pushing forwarded traffic 
through the router without connection traffic. Correct?

Bye, Mike

next prev parent reply	other threads:[~2003-10-31 10:47 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-10-28 17:29 "selective" connection tracking? Michael Renzmann
2003-10-31  9:10 ` Cedric Blancher
2003-10-31 10:47   ` Michael Renzmann [this message]
2003-10-31 11:02     ` Cedric Blancher
2003-10-31 12:17       ` Michael Renzmann
2003-10-31 13:18         ` Cedric Blancher

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3FA23DB7.3010300@otaku42.de \
    --to=mrenzmann@otaku42.de \
    --cc=blancher@cartel-securite.fr \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox