[Bug 98] state ESTABLISHED allow ipip tunnels
bugzilla-daemon at bugzilla.netfilter.org
bugzilla-daemon at bugzilla.netfilter.org
Fri Sep 24 17:32:55 CEST 2004
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=98
------- Additional Comments From netfilter at linuxace.com 2004-09-24 17:32 CEST -------
This is expected behavior...
The first rule of your INPUT chain where you allow ESTABLISHED continues to
allow the IPIP tunnel until that conntrack expires (600 seconds as you note).
If you want to block this immediately, insert a DROP rule before the
ESTABLISHED rule. If you instead wish to lower the timeout, take a look at:
/proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout
you can issue an
echo X > /proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout
where X is the timeout you prefer.
--
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
More information about the netfilter-buglog
mailing list