The firewall will keep a TCP link in its connection tables through 5 days of inactivity. It will close its connection quickly if it sees the closure handshaking (FIN, ACK) or a RST is sent. I think that ACK from the public side, followed by a response from the private side, may also establish a connection unless the "TCP window tracking" patch is installed. But this is from memory. Try this. If you dump the conntrack table and see the time out left (in seconds, 2nd number, large). This counts down from 5 days (of seconds) for established TCP connections. If the connection is inactive, the number will be smaller by the period of inactivity. -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Jonas Lindborg Sent: Saturday, August 30, 2003 08:38 To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: ip_conntrack vs netstat Hello, When comparing the output of /proc/net/ip_conntrack with the "netstat" command, I'm seeing a few established connections in ip_conntrack that are not presented by netstat. These are familiar connections (ssh, imap) to known hosts that could very well have been done by me but not in the last 24 hrs so they should have timed out a long time ago. "ps" shows no such processes running so this immediately raises the suspicion that the machine could be compromised and connections are hidden from netstat and ps. But if this was the case there should be some connections to unknown hosts showing in ip_conntrack as well so I should be able to rule out that possibility (?). Now for my question: Can anyone confirm that ip_conntrack can show "ghost" connections like these?
