also sprach Ralf Döblitz <[EMAIL PROTECTED]> [2006.07.04.0927 +0200]: > After reboot the packets of your SSH connection were not known to belong to > an established connection but fell through to your set of filter rules.
How? I load the DROP rules before the ACCEPT ones. I can't think of a way this would be possible. > am sure that they were accepted there, Yes, if they ever got there. Many people have rules like -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT I've done research and found that -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT is the same, meaning that the INVALID state matches all non-SYN packets at this point. Still surprised, -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' : proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system "in a country where the sole employer is the state, opposition means death by slow starvation. the old principle: who does not work shall not eat, has been replaced by a new one: who does not obey shall not eat." -- leon trotsky, 1937
signature.asc
Description: Digital signature (GPG/PGP)