[Bug 98] state ESTABLISHED allow ipip tunnels
bugzilla-daemon at bugzilla.netfilter.org
bugzilla-daemon at bugzilla.netfilter.org
Fri Sep 24 17:46:58 CEST 2004
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=98
------- Additional Comments From elacour at easter-eggs.com 2004-09-24 17:46 CEST -------
(In reply to comment #5)
> This is expected behavior...
>
> The first rule of your INPUT chain where you allow ESTABLISHED continues to
> allow the IPIP tunnel until that conntrack expires (600 seconds as you note).
>
> If you want to block this immediately, insert a DROP rule before the
> ESTABLISHED rule. If you instead wish to lower the timeout, take a look at:
>
I now that :)
> /proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout
>
> you can issue an
>
> echo X > /proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout
>
> where X is the timeout you prefer.
Thanks, I didn't saw this.
You can close the bug now.
--
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
More information about the netfilter-buglog
mailing list