Hey list,
I am using a 2.4.22 with the ebtables + br-nf patch of
ebtables.sourceforge.net. I am currently not DROPping packets, only
logging for a while as a safety for my new rules on this host.
I face a problem with some TCP connections: I want to accept new
TCP connections only if they match both --syn and -m state --state
NEW. This turns out to be a bad practice in some case where I see
legitimate new TCP connections with correct flags matching --syn but
which do not match -m state --state NEW.
This happens a lot with HTTP clients and with DNS requests, and I
think this is because of port reuse:
- the HTTP client opens a connection from port xyz to port 80
- it finishes the session and closes the connection
- it reopens another connection with the same port xyz to the same
host on port 80
However, grepping the /proc/net/ip_conntrack shows two different
entries in such cases.
Am I wrong in thinking the connections should match -m state --state
NEW, even if a connection happened with the same ports/ips a few
seconds ago? What can I change to fulfill my wishes?
Kind regards,
--
Loïc Minier <lool@xxxxxxxx>
