Re: ssh session are hanging when firewall is restarted

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: "Tyler J. Wagner" <tyler@tolaris.com>
To: Grant Taylor <gtaylor@riverviewtech.net>
Cc: Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: ssh session are hanging when firewall is restarted
Date: Thu, 25 Aug 2011 08:28:46 +0100	[thread overview]
Message-ID: <4E55F9AE.3010506@tolaris.com> (raw)
In-Reply-To: <4E55E602.6040905@riverviewtech.net>

On 2011-08-25 07:04, Grant Taylor wrote:
> I'd sit down and think about how frequently this ""problem (such as it is)
> happens and if it has enough impact to cause me to want to re-design
> firewall rules to take it in to account.

Indeed. A better solution:

-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

If your firewall script clears the connection states (conntrack -F) or
unloads and reloads the kernel modules (thus doing the same thing), you
will always have this problem, and no different iptables design will fix it.

Regards,
Tyler

-- 
"The Congress shall have Power . . . To promote the Progress of Science
and useful Arts, by securing for limited Times to Authors and Inventors
the exclusive Right to their respective Writings and Discoveries."
   -- Article I, Section 8, U.S. Constitution

next prev parent reply	other threads:[~2011-08-25  7:28 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-08-24 13:42 ssh session are hanging when firewall is restarted Adishesh M
2011-08-25  5:41 ` Adishesh M
2011-08-25  6:04 ` Grant Taylor
2011-08-25  7:28   ` Tyler J. Wagner [this message]
2011-08-25  8:06   ` Jan Engelhardt
2011-08-25 10:15 ` Pandu Poluan
2011-08-25 10:34   ` Adishesh M
2011-08-25 10:51     ` Tyler J. Wagner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4E55F9AE.3010506@tolaris.com \
    --to=tyler@tolaris.com \
    --cc=gtaylor@riverviewtech.net \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox