> Well, at least the coneections belonging to NAT should be destroyed > because there is no authorization to these data flow anymore. > Don't you agree? Don't know. The Netfilter developers would have to answer that one. The netfilter guys have a userspace conntrack program that (I think) lets look at the conntrack database. And I think there are some data structures in the /proc filesystem. But I haven't dug into them. - Greg -----Original Message----- From: lartc-bounces@xxxxxxxxxxxxxxx [mailto:lartc-bounces@xxxxxxxxxxxxxxx] On Behalf Of Ethy H. Brito Sent: Thursday, January 26, 2006 9:16 AM Cc: lartc@xxxxxxxxxxxxxxx Subject: Re: nat table remenbering nat's On Thu, 26 Jan 2006 08:58:34 -0600 "Greg Scott" <GregScott@xxxxxxxxxxxxxxxxxxx> wrote: > No, it just flushes the rules and changes the policy to ACCEPT. The > connections are still connected. I do this all the time with > firewalls up and running. If flushing the rules killed all the active > connections, it would be super disruptive. Well, at least the coneections belonging to NAT should be destroyed because there is no authorization to these data flow anymore. Don't you agree? > > I suppose if you want to stop connections, flush the rules and then > set the policy to DROP - do 2 commands instead of just flushing. I did this. Stoped (flushed) all (I really mean all) rules and started them again with a diferent source adderss for NAT rules. My surprise was that that old NAT connection continued to flow despite the fact there was no rule at NAT filter for it. I suppose this old connection is still flowing because conntrack database state it as ESTABLISHED and it is grabbed by "ESTABLISHED, RELATED -j ACCEPT" rule. Did I made myself clear? I suppose that once a data flow is establisehd its conntrack database entry is only deleted if you or the other party kills the applications tha holds the connetions alive. BTW rebooting the machine stops the old data flow and only accepts the second (new) one. (unnecessary to say that rebooting clears the conntrack database, of course). > > Take what I say for what it's worth. I am not a netfilter developer, > just a long-time user. And so am I. Just a long-time user since ipfwadm. (Any developer reading this could please shed some like on this?) Ethy _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
