On Mon, Mar 25, 2002 at 01:30:51PM -0500, Stephen Frost wrote: > * Leonardo Rodrigues ([EMAIL PROTECTED]) wrote: > > > > I'm using this same 'new not syn' rule for a long time and had > > absolutely no problems with it. I've also found SEVERAL connections being > > blocked by it. Anyway, it's completly safe to drop connections that does not > > have the SYN and are recognized as NEW, as they really dont make sense. > > You can also apply the patch from p-o-m called 'conntrack-tcp-nopickup' > which alters the TCP state tracking machine to not 'pick up' connections > which are around before the firewall comes up. > > Harald, since you asked for feedback, the only issue I've seen so far > when running with this patch (which has been running on my firewall for > almost a month now) is that occationally I'll see a great many 'ACK's > being sent from my web server to some external IP address in my logs. > It doesn't seem to have caused any serious problem in general though.
Thanks for giving this feedback. I think I'm going to port this patch to newnat, and make it a sysctl, so users can choose the desired behaviour. Newnat will get in 2.5.8 and 2.4.20. btw: be sure to Cc' me next time, I don't read the netfilter users mailinglist on a regular basis. > If you'd like some more information on this I'd be happy to provide it. Well, it would be interesting why those acks don't belong to any established connections, yes... > Stephen -- Live long and prosper - Harald Welte / [EMAIL PROTECTED] http://www.gnumonks.org/ ============================================================================ GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
msg01307/pgp00000.pgp
Description: PGP signature
