/dev/rob0 wrote:
On Sunday 2006-January-08 16:18, I wrote:
On Sunday 2006-January-08 16:04, Robert Nichols wrote:
iptables -I INPUT -s 1.2.3.4 -j DROP
That will prevent communication by blocking any further incoming
packets, but won't do anything to tear down the connection. See
Yes, you're right, sorry. I read too quickly. You're saying this:
... or simply that a blocked connection has not yet
timed out of conntrack or netstat listings.
... and you're right, the REJECT will tell the other end that the
connection is terminated. But I doubt that the local side will show
anything different in conntrack or netstat, unless a corresponding
REJECT rule was used in OUTPUT.
What typically happens is that as soon as the local side transmits
any packet on the half-closed connection, the far end responds with
its own TCP RESET, and the "--tcp-flags ! FIN,RST NONE" matcher in
my suggested rule allows any packet with a RST or FIN flag to get
through.
--
Bob Nichols Yes, "NOSPAM" is really part of my email address.
