Pablo Neira Ayuso wrote: > Jan Engelhardt wrote: >> On Friday 2010-05-07 18:17, Richard Feng wrote: >> >>>> >From the documentation (from conntrack-tools.netfilter.org), >>>>> somewhere it says that "have to set >>>>> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to >>>>> zero".There is simply no 'netfilter' folder under my folder >>>>> '/proc/sys/net/ipv4'. Is this the problem? How could I fix it? >>> So 'conntrack -D' can not really cut current connections? It can >>> only delete entry from the state table? I just want to make sure - >> >from the document >>> "http://conntrack-tools.netfilter.org/manual.html#conntrack";. It >>> clearly said "Delete on entry, this can be used to block traffic >>> (you have to set >>> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to zero)". >> The documentation seems to be off here. If you only delete a ct >> entry, the next packet (even if a TCP ACK or something) will make >> a new ct with NEW as a ctstate. >> >> To really have a TCP/SCTP connection blocked after deletion of the ct >> entry, you have to only allow NEW ctstates with the initla TCP/SCTP >> packet (SYN/INIT). > > Yes, you need a well-formed stateful rule-set "to cut" the connection > (at least you have to add a rule to block traffic in INVALID stats). With "stats" I meant "state", and liberal tracking must be disabled as said. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
