Re: Existing connections / changing IpTables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



jludwig wrote:
On Friday 20 January 2006 17:22, Robert Nichols wrote:

Richard Emberson wrote:

Thank you for response.
What I was asking was: You've got an existing set of IpTable rules and
you have a set of current/active connections that are governed by those
rules. If you then change the rules, what happens to the existing
connections?
Are they still associated with the old rules or are the new rules
applied.

If an old rule says that a connection from a particular machine is
allowed and you currently have such a connection and then you install new
rules that disallow connections from that machine - will the existing
connection be terminated or still remain open?

The packets would be filtered according to the new rules.  But, one of
the first rules in most rule sets is a rule that allows packets for any
EXISTING or RELATED connection.  Loading a new iptables rule set does
not flush the conntrack table, so packets for the old connections would
still get through unless blocked by something earlier than that rule.


Agreed, and, yes this EXISTING,RELATED rule is near the top for performance reasons --> BUT <-- after some safeguard rules. (This system is also after a router with its own firewall.)

Then if you change those "safeguard" rules such that they now block
some ESTABLISHED (not "EXISTING" -- sorry, pardon my brain fart) or
RELATED connections, those connections will suddenly stop working.

--
Bob Nichols         Yes, "NOSPAM" is really part of my email address.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux