On Thu, 26 Jan 2006 21:10:00 +0200
Tomas Simonaitis <haden@xxxxxxxxxx> wrote:
> To clear things up:
> Connection which was up was not blocked in FORWARD?
No, they are not. I have a ESTABLISHED -j ACCEPT rule as first rule.
> You only changed rule in PREROUTING ("...different source adress...")?
That is correct.
> If so, "old" connection just didn't hit prerouting as its already been there,
> and forward isn't dropping its packets.
> To me it seems to behave as expected.
Questionable. I flushed NAT. I assume that a flushed table must forget
each and every previous authorizations. The way you put it, the only way
to stop old stream is to reboot the machine which is unacceptable from
my point of view.
Suppose you have a partnership and want to drop those privileges. While
your late partner does not close the connction(s) (s)he will still have
granted access to your intranet. Did you think of that?
Ethy
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
