anders at anduras.de
Fri Dec 3 12:11:01 CET 2004
-----BEGIN PGP SIGNED MESSAGE-----
Patrick Schaaf wrote:
|>Is it possible to reset the conntrack list or set any entry to the state
|>NEW to force a recheck against new filter rules?
|>~ If I set the (new) filtering rules with the target DROP, I want old
|>~ (existing) connections to be dropped immediatly.
| Consider using REJECT. This has two advantages: it gives the end
| systems you are now blocking a chance at state cleanup (instead of
| needlessly wasting memory and CPU resources on a connection that you
| now elect to forbit). But, the greater advantage: the packets that
| the end systems exchange in response to the connection teardown,
| are JUST what you need to get rid of their conntracks.
This is not exactly what I'm meant...
Consider the following scenario:
~ 1. Set firewall rules
~ a) ACCEPT on all --state RELATED,ESTABLISHED
~ b) with ACCEPT on ports 22 and 80
~ 2. Remote client creates connection through the firewall
~ on the port 80 (CONNTRACK state is: NEW)
~ It will be allowed due to the ACCEPT policy...
~ 3. Server answers and connection CONNTRACK state will be changed
~ to ESTABLISHED
~ 4. Set new firewall rules:
~ Changed b) to only allow port 22
~ 5. The connection to port 80 will continue to exists, because
~ it CONNTRACK state did not change and we have rule a)...
~ 1) Recheck all CONNTRACK entries against the new firewall rules.
~ 2) Set all CONNTRACK entries with states RELATED or ESTABLISHED to
~ NEW, to force the recheck.
Is there any way to accomplish this?
~ Sven Anders <anders at anduras.de>
~ ANDURAS service solutions AG
~ Innstraße 71 - 94036 Passau - Germany
~ Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55
Rechtsform: Aktiengesellschaft - Sitz: Passau - Amtsgericht Passau HRB 6032
Mitglieder des Vorstands: Sven Anders, Marcus Junker, Michael Schön
Vorsitzender des Aufsichtsrats: Dipl. Kfm. Karlheinz Antesberger
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the netfilter-devel