I tried sending an "ACK" packet from behind my Netfilter firewall to a machine on the public side that actually doesn't exist. A look in the /proc/net/ip_conntrack tells me that Netfilter tracked this connection as "ESTABLISHED" but "UNREPLIED". So Netfilter does infact allow starting a TCP connection with an ACK packet. dhiraj -----Original Message----- From: Martijn Klingens [mailto:mklingens@xxxxxx] Sent: 09 April 2003 14:59 To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: new tcp connections, without SYN On Wednesday 09 April 2003 15:06, Cedric Blancher wrote: > Timers for Netfilter's conntrack should be the same as TCP stacks. So, > if conntrack times out, then destination TCP stack should time out too. > that means if a ACK gets so delayed that related conntrack entry gets > dropped, than it would be also dropped by destination TCP stack. Aaah... that might explain my problem with 'new, not syn'. Problem is that our firewall is a non-masquerading router for a class C subnet and that we don't have the ability to set the timeouts on all machines behind it. Isn't there a workaround to avoid this problem on the netfilter machine? -- Martijn
