On Thursday 2011-08-25 08:04, Grant Taylor wrote: > On 8/24/2011 08:42, Adishesh M wrote: >> what is the problem with this above rule. we used this rule to drop >> bad tcp packets. when firewall is restarted using "service iptables >> restart", ssh sessions are hanging. > > I don't think there is any thing wrong with the rule at all. I think the > problem is how you are thinking about the connection. > > You are looking for connections that are new to the connection tracking > sub-system that do not have a SYN flag set. > > An already established SSH connection will not need to send a SYN packet, but > will still appear "new" to the connection tracking sub-system after you > re-start the firewall. It depends on _what_ actually is restarted. Changing just the ruleset does not affect CT entries. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
