Existing connections / changing IpTables
Robert Nichols
rnicholsNOSPAM at comcast.net
Sat Jan 21 06:05:04 UTC 2006
jludwig wrote:
> On Friday 20 January 2006 17:22, Robert Nichols wrote:
>
>>Richard Emberson wrote:
>>
>>>Thank you for response.
>>>What I was asking was: You've got an existing set of IpTable rules and
>>>you have a set of current/active connections that are governed by those
>>>rules. If you then change the rules, what happens to the existing
>>>connections?
>>>Are they still associated with the old rules or are the new rules
>>>applied.
>>>
>>>If an old rule says that a connection from a particular machine is
>>>allowed and you currently have such a connection and then you install new
>>>rules that disallow connections from that machine - will the existing
>>>connection be terminated or still remain open?
>>
>>The packets would be filtered according to the new rules. But, one of
>>the first rules in most rule sets is a rule that allows packets for any
>>EXISTING or RELATED connection. Loading a new iptables rule set does
>>not flush the conntrack table, so packets for the old connections would
>>still get through unless blocked by something earlier than that rule.
>>
>
> Agreed, and, yes this EXISTING,RELATED rule is near the top for performance
> reasons --> BUT <-- after some safeguard rules. (This system is also after a
> router with its own firewall.)
Then if you change those "safeguard" rules such that they now block
some ESTABLISHED (not "EXISTING" -- sorry, pardon my brain fart) or
RELATED connections, those connections will suddenly stop working.
--
Bob Nichols Yes, "NOSPAM" is really part of my email address.
More information about the fedora-list
mailing list