Aren't these connections ESTABILISHED? (2nd take)
Henrik Nordstrom
hno at marasystems.com
Sun Oct 2 04:16:24 CEST 2005
On Sat, 1 Oct 2005, /dev/rob0 wrote:
> Also, I'm not sure it would do anything at all, because there cannot be
> that many --state NEW connections in such a short time. Conntrack would
> call those "RELATED". I think you should try --syn, not --state NEW.
The syn part is correct, but not RELATED.
each time a new connection is seen (unique source/destination/ports) the
first packet is NEW, simply by the fact that the connection is not yet
known to conntrack.
conntrack calls syn retransmits on already accepted connections as
ESTABLISHED.
RELATED is "NEW" on other traffic flows which forms a known related
connection to a already known connection. For example the data channel in
the FTP protocol.
NEW is not related to syn, even if most TCP packets with state NEW is syn
packets. Any packet from a TCP (or UDP) session not yet known to conntrack
is NEW, even a TCP RST packet.
Regards
Henrik
More information about the netfilter
mailing list