Two questions,
1) I've seen tools like cutter that jump though hoops to kill connections using RSTs with invalid sequence numbers... However, is there any way to force iptables to delete a connection entry from the connection table so that further packets arriving for that connection can simply be DROPed/REJECTed because there is no ASSURED/ESTABLISHED matching state?
2) Short of setting up logging rules for RST/FIN packets, is there a way to get iptables to log connection teardowns and the cause for the teardown (especially since RST/FIN is not the only way that a connection can be dropped from the table--i.e, when the kernal drops the connection from the table because of inactivity)?
In general, while I am impressed with the performance/stability/manageability of an iptables firewall, either I'm not looking in the right place for documentation, or direct manipulation of the connection table is not available without resorting to kernel level programming.
Thanx.
--Markley Dykeman
