On Nov 27 2007 11:07, Phil Oester wrote: > >I use a fairly short 2 hour established timeout on firewalls I operate, >which works fine for most purposes. Occasionally, however, it would >be nice to have a longer timeout for *certain* types of traffic >such as SSH or telnet sessions. > >So, below find a TIMEOUT target to enable such per-conntrack timeouts. >Syntax for SSH would be something like: > > iptables -A foo -p tcp --dport 22 -j TIMEOUT --timeout 123456 > iptables -A foo -p tcp --dport 22 -j ACCEPT > >It could of course also be used to lower the timeouts on some traffic, >such as HTTP. > Considering TCP only... If my firewall allows 'NEW' connections (-m conntrack --ctstate NEW) on non-SYN packets, what good will xt_TIMEOUT do? If the ct entry times out, a new one will be created once the next packet flows. - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
