On Thu, Apr 18, 2002 at 11:01:36AM +0100, Antony Stone wrote: > On Thursday 18 April 2002 4:15 am, Ramin Alidousti wrote: > > > > What I'd like to do is either kill all currently active connections from > > > that IP or stopping packet mangling according to rules that no longer > > > exist. Any suggestion would be greatly appreciated. > > > > Can you not rmmod the conntrack and insmod it back in? > > Surely this would kill *all* the connections currently active through the > box, not just the ones related to the user who's just logged off.
I don't know. Maybe. But didn't I hear from Harald that the conntrack can pick up connections after the FW has rebooted? So, why not by bouncing the module? I'll do some testing... Ramin > > Yes, it will avoid the 'persistent connection' problem, but it's not going to > make all the other users happy.... > > My thought is to have a rule at the top of the FORWARDing chain which > specifically blocks packets to/from (doesn't really matter which) the IP > address whcih has just logged off - then the logon process removes that rule > to allow packets to flow ? > > > Antony.
