Existing connections / changing IpTables
jludwig
wralphie at comcast.net
Sat Jan 21 02:51:18 UTC 2006
On Friday 20 January 2006 17:22, Robert Nichols wrote:
> Richard Emberson wrote:
> > Thank you for response.
> > What I was asking was: You've got an existing set of IpTable rules and
> > you have a set of current/active connections that are governed by those
> > rules. If you then change the rules, what happens to the existing
> > connections?
> > Are they still associated with the old rules or are the new rules
> > applied.
> >
> > If an old rule says that a connection from a particular machine is
> > allowed and you currently have such a connection and then you install new
> > rules that disallow connections from that machine - will the existing
> > connection be terminated or still remain open?
>
> The packets would be filtered according to the new rules. But, one of
> the first rules in most rule sets is a rule that allows packets for any
> EXISTING or RELATED connection. Loading a new iptables rule set does
> not flush the conntrack table, so packets for the old connections would
> still get through unless blocked by something earlier than that rule.
>
Agreed, and, yes this EXISTING,RELATED rule is near the top for performance
reasons --> BUT <-- after some safeguard rules. (This system is also after a
router with its own firewall.)
> Bob Nichols Yes, "NOSPAM" is really part of my email address.
More information about the fedora-list
mailing list