----- Original Message ----- From: "Henrik Nordstrom" <[EMAIL PROTECTED]> To: "Bart De Schuymer" <[EMAIL PROTECTED]> Cc: "Jin Hong (ȫ��)" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Sunday, December 16, 2001 6:23 PM Subject: Re: [Bridge] conn-track ESTABLISED matching everthing
> Bart De Schuymer wrote: > > > There are 4 possible states: > > - INVALID: something invalid :) > > - NEW: new connection > > - RELATED: related new connection > > RELATED: related to an existing connection. This includes reletd ICMP, > and expected secondary connections. > > > - ESTABLISHED: the rest > > ESTABLISHED: where traffic has or is beeing seen in both directions. I quote the iptables man: "ESTABLISED meaning that the packet is associated with a connection which has seen packets in both directions" Now that _is_ confusing because that reply message is part of a connection that has _not_ seen packets in both directions. Your explanation of the term would make more sense in the man page. > > So: the first valid response to a packet sent to the outside will have the > > state ESTABLISHED. > > The man page of iptables is a bit unclear about the definition of > > ESTABLISHED if you ask me... > > The trap quite many go into is thinking there is a relation between the > netfilter conntrack states and the TCP states. There is not. netfilter > only cares about packet directions, not SYN flags etc. not me... > When you accept ESTABLISHED, you SHOULD also accept RELATED. If not some > things will break. Are you talking about oopses or something? Why would this rule 'break' anything: iptables -A FORWARD -d 172.16.1.2 -p tcp -m state --state ESTABLISHED -j ACCEPT cheers, Bart _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
