On 02/23/2006 07:10 AM, Anders Peter Fugmann wrote: > Is this intended behaviour? Are RST,SYN packets (or any other packet > generated by a REJECT rule) automatically marked as RELATED by design? This is by design. It is due to the RST being generated at different points within the network stack. When the REJECT rule creates the RST, the SYN is immediately dropped, and so there is no existing established conntrack for the RST. When the TCP layer creates the RST, the SYN has already passed through all of netfilter, the conntrack is created, and so the RST can use it.
