On 2011-08-25 07:04, Grant Taylor wrote: > I'd sit down and think about how frequently this ""problem (such as it is) > happens and if it has enough impact to cause me to want to re-design > firewall rules to take it in to account. Indeed. A better solution: -A INPUT -p tcp ! --syn -m state --state NEW -j DROP -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT If your firewall script clears the connection states (conntrack -F) or unloads and reloads the kernel modules (thus doing the same thing), you will always have this problem, and no different iptables design will fix it. Regards, Tyler -- "The Congress shall have Power . . . To promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries." -- Article I, Section 8, U.S. Constitution -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
