On Sun, Dec 16, 2001 at 06:13:56PM +0900, Jin Hong(ȫ��) wrote:
> Hello. Hi there, > I must be doing something stupid, but can not get the connection tracking > to work correctly. It does work correctly.. it's just not what you're expecting. > "ESTABLISHED" matches packets that uses a connection "which has seen > packets in both directions". > When I telnet from "myhost" to "outside", "myhost" first sends a syn packet. > The acknowledgement packet comming from "outside" does not match any > "ESTABLISHED" connection, so should be droped following the "policy". > So we should not be able to make any connections from "myhost". The state for a connection is updated before the filtering decision is made. So, the ACK packet bumps the connection to the ESTABLISHED state, and then when it comes around to get filtered, it will match an ESTABLISHED connection, and thus be let through according to your rule. Granted, it's somewhat weird behavior, but useful. cheers, Lennert _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
