Richard Feng a écrit : > On May 7, 2010 02:57:51 am Pascal Hambourg wrote: >> >> The conntrack tool only deals with netfilter connection tracking, not >> with the actual connection (e.g. it won't send RST's in order to tear it >> down). How it may affect the actual connection depends on the iptables >> ruleset. >> > It says it can block traffic in the > document "http://conntrack-tools.netfilter.org/manual.html#conntrack";. Do you mean this : "this can be used to block traffic" ? It can be used to block traffic, but does not block traffic by itself. Subsequent packets of a deleted TCP connection will just be in the INVALID state, it is up to the iptables ruleset to drop such packets if this is what you want. > What should I do if I want to break current connection? Using 'cutter'? What do you want to achieve exactly ? Drop/reject subsequent packets ? Then see above, you need iptables. Or actively close the connection ? Then you need a tool such as cutter. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
