On Friday 2010-05-07 21:14, Pablo Neira Ayuso wrote: >>> The documentation seems to be off here. If you only delete a ct >>> entry, the next packet (even if a TCP ACK or something) will make >>> a new ct with NEW as a ctstate. >>> >>> To really have a TCP/SCTP connection blocked after deletion of the ct >>> entry, you have to only allow NEW ctstates with the initla TCP/SCTP >>> packet (SYN/INIT). >> >> Yes, you need a well-formed stateful rule-set "to cut" the connection >> (at least you have to add a rule to block traffic in INVALID stats). > >With "stats" I meant "state", and liberal tracking must be disabled as said. Which is the default anyway. :-) I think what was really meant was tcp_loose, not tcp_be_liberal. Anyway, I don't want to give bad hints. It's better to use a restrictive ruleset than tweaking sysctls. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
