Reset conntrack...

Sven Anders anders at anduras.de
Fri Dec 3 12:11:01 CET 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Patrick Schaaf wrote:
|>Is it possible to reset the conntrack list or set any entry to the state
|>NEW to force a recheck against new filter rules?
|>~  If I set the (new) filtering rules with the target DROP, I want old
|>~  (existing) connections to be dropped immediatly.
|
|
| Consider using REJECT. This has two advantages: it gives the end
| systems you are now blocking a chance at state cleanup (instead of
| needlessly wasting memory and CPU resources on a connection that you
| now elect to forbit). But, the greater advantage: the packets that
| the end systems exchange in response to the connection teardown,
| are JUST what you need to get rid of their conntracks.

This is not exactly what I'm meant...

Consider the following scenario:

~ 1. Set firewall rules
~     with:
~      a) ACCEPT on all --state RELATED,ESTABLISHED
~      b) with ACCEPT on ports 22 and 80

~ 2. Remote client creates connection through the firewall
~     on the port 80 (CONNTRACK state is: NEW)
~     It will be allowed due to the ACCEPT policy...

~ 3. Server answers and connection CONNTRACK state will be changed
~    to ESTABLISHED

~ 4. Set new firewall rules:
~      Changed b) to only allow port 22

~ 5. The connection to port 80 will continue to exists, because
~    it CONNTRACK state did not change and we have rule a)...

Possible solutions:

~ 1) Recheck all CONNTRACK entries against the new firewall rules.

~ 2) Set all CONNTRACK entries with states RELATED or ESTABLISHED to
~     NEW, to force the recheck.

Is there any way to accomplish this?

Regards
~ Sven

- --
~ Sven Anders <anders at anduras.de>

~ ANDURAS service solutions AG
~ Innstraße 71 - 94036 Passau - Germany
~ Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55

Rechtsform: Aktiengesellschaft - Sitz: Passau - Amtsgericht Passau HRB 6032
Mitglieder des Vorstands: Sven Anders, Marcus Junker, Michael Schön
Vorsitzender des Aufsichtsrats: Dipl. Kfm. Karlheinz Antesberger
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBsEnF5lKZ7Feg4EcRAuGSAJ9CcGazy29uLg3OYVyf86UZHDZ8dwCdF7do
ufAoHMfOh0O7qe+s3jYbwQI=
=5R7c
-----END PGP SIGNATURE-----


More information about the netfilter-devel mailing list