Thank you again for your response. Suppose I do want drop existing connections, but I don't want to add the "drop" rule above the "allow established" rule, for performance reasons. Does netfilter provide any API for flushing the conntrack table (all of it or specific entries)? Will stopping the firewall completely flush these entries?
--- On Tue, 4/29/08, Pascal Hambourg <pascal.mail@xxxxxxxxxxxxxxx> wrote:
> You are asking the wrong question. Iptables is a packet
> filter, it does
> not filter "sessions" (or connections). As
> already said, the conntrack
> table is not affected by rule deletion/insertion. So
> whether packets
> belonging to existing connections are allowed or not
> depends on the new
> ruleset. If the new ruleset says to ACCEPT packets in the
> ESTABLISHED
> state, then established connections are still allowed.
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
