On Mon 2019-07-08 21:07:16 +0200, Reindl Harald wrote: > > > Am 08.07.19 um 20:43 schrieb Florian Westphal: > >> Another thing I'm wondering is whether this rule could be impacting > >> connections beyond lo, but I just don't know about it. > > > > NORACK? If you restrict it via -i lo / -o lo, then no, it won't affect > > anything else. > > > > NAT for such connections won't work but thats normally not an issue > > in the loopback case. > > i think the question was if "iptables -t mangle -A PREROUTING -p all -m > conntrack --ctstate INVALID -j DROP" also breaks things beyond the "lo" > interface which it shouldn't and don't appear to, but who knows > > it shouldn't break anything at all, also not on "lo" Right, sorry, I was wondering about the INVALID rule given it would still be applied to non-lo traffic. > if you wan't to reproduce this setup SSH-forwarding to a VNC server, let > the VNC window in the background and after a realtive short amount of > time the tunneled connection with tigervnc-1.9.0-3.fc29.x86_64 just > freezes with the last picture That is concerning if it's the same issue!
