> been to. What seems to make no sense is that I see this > > 192.168.0.2,1134 207.46.226.25,80 tcp ESTABLISHED 59:1:51 > > when the box 192.168.0.2 is down and has been down for hours. Why would > netfilter still see this connection > as ESTABLISHED ?
In this situation, the client box never sends a packet again. And, if the server has no data to send, it also does not need to send any packet. Alternatively, that server have gone down, too, and forgot about your client connection. Then, it also won't send any packet. So, in total, conntracking sees no packet. There is no way to guess that one or both sides died. Thus, the normal expire timeouts for ESTABLISHED connections, which is some days, applies. It has been discussed numerous times here, that this behaviour is unwanted for some situations, and critical for others (where long-running TCP connections without traffic is the norm). To meet both situations somewhere in the middle, the iptables timeouts where chosen the way they are now. As this is a compromise, it cannot be the "right thing" for most situations. But there is no way it can be improved in a generic manner without pissing off part of the "population". Hope this explains things to you sufficiently. best regards Patrick
