Dans un message du 07 jun à 11:57, Emmanuel Fleury écrivait :
> Does this means that you are mapping the packets to a state (NEW,
> ESTABLISHED, RELATED, INVALID) only based on information on their
> header and a query to the connection table ? And that you do not
> care about the previous state of the connection ?
I really do not understand what you mean. The conntrack stores the
previous state of TCP connection. So indeed when a packet arrives, it
checks the information of the TCP and IP headers and tries to see if
there is something stored about this TCP connection.
e.g
for a syn/ack packet
the conntrack says "I've seen a syn from this guy" -> the packet is
matched as ESTABLISHED.
the conntrack says "I've never seen anything" -> the packet is matched
as INVALID
for your beloved ack packets
the conntrack knows a connection is established -> ACK is matched as
ESTABLISHED
the conntrack has seen no connection -> ACK is matched as NEW
> Moreover, is it possible to create an entry in the connection table
> just by sending an ACK ??? (somebody wrote this at some point).
Of course ! This is what is done when an ACK packet is received and if
the conntrack can't find a related established connection.
> Finally, I tried to think about this 'connection pick-up' thing and
> I really don't understand how do you can restore a connection after
> the reboot. What is the algorithm which is used for this ?
This is a firewall. Basically you let packets pass or you do not. In a
case of connection pick-up, the firewall sees the ACK and thinks "oh, it
looks like there is a established connection but I wasn't there during
establishment. I'll let this connection go on. The following ACKs
packets will be matched as ESTABLISHED"
> (My problem is that in the case of a NAT, you can receive an ACK packet
> on your FORWARD chain coming from outside and you have to translate
> it to your inner network. But you lost all the informations about it).
Of course, it does not work for a NATed connection if the ACK packet
comes from outside.
--
Guillaume Morin <[EMAIL PROTECTED]>
Unwisely, Santa offered a teddy bear to James, unaware that he had
been mauled by a grizzly earlier that year (T. Burton)
