Re: Existing connections / changing IpTables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Richard Emberson wrote:
Thank you for response.
What I was asking was: You've got an existing set of IpTable rules and you
have a set of current/active connections that are governed by those rules. If you then change the rules, what happens to the existing connections?
Are they still associated with the old rules or are the new rules applied.

If an old rule says that a connection from a particular machine is allowed
and you currently have such a connection and then you install new rules
that disallow connections from that machine - will the existing connection
be terminated or still remain open?

The packets would be filtered according to the new rules.  But, one of
the first rules in most rule sets is a rule that allows packets for any
EXISTING or RELATED connection.  Loading a new iptables rule set does
not flush the conntrack table, so packets for the old connections would
still get through unless blocked by something earlier than that rule.

One caveat -- some people think of a browser session as a "connection".
A web browser may open many TCP connections in the course of fetching a
web page and its related files, and as far as conntrack is concerned
those are all totally independent connections.  Contrast that with
an FTP session, where each data connection is RELATED to the original
control connection (ignoring the possibility of 3rd party FTP, which
is pretty much a dead issue on today's Internet).

--
Bob Nichols         Yes, "NOSPAM" is really part of my email address.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux