ipchains is not stateful so it doesnt need contrak...right? jd
>From: Christian Seberino <[EMAIL PROTECTED]> >To: Patrick Schaaf <[EMAIL PROTECTED]> >CC: [EMAIL PROTECTED] >Subject: Re: how is this stuff getting thru default deny iptables >firewall?.... >Date: Tue, 9 Jul 2002 12:08:52 -0700 >MIME-Version: 1.0 >Received: from [198.186.203.85] by hotmail.com (3.2) with ESMTP id >MHotMailBEF485390058400431CEC6BACB5599E90; Tue, 09 Jul 2002 12:32:25 -0700 >Received: from va.samba.org (localhost [127.0.0.1])by lists.samba.org >(Postfix) with ESMTPid BD14F424A; Tue, 9 Jul 2002 12:32:11 -0700 (PDT) >Received: from dt092n42.san.rr.com (dt092n42.san.rr.com [204.210.48.66])by >lists.samba.org (Postfix) with ESMTP id 8B4534A48for ><[EMAIL PROTECTED]>; Tue, 9 Jul 2002 12:07:26 -0700 (PDT) >Received: from seberino by dt092n42.san.rr.com with local (Exim 3.32 #1)id >17S0M0-0006ST-00; Tue, 09 Jul 2002 12:08:52 -0700 >From [EMAIL PROTECTED] Tue, 09 Jul 2002 12:33:44 -0700 >Delivered-To: [EMAIL PROTECTED] >Message-ID: <[EMAIL PROTECTED]> >References: <[EMAIL PROTECTED]> ><20020622173842.AGM19225.mta07-svc.ntlworld.com@there> ><[EMAIL PROTECTED]> <[EMAIL PROTECTED]> ><[EMAIL PROTECTED]> ><[EMAIL PROTECTED]> >User-Agent: Mutt/1.2.5i >In-Reply-To: <[EMAIL PROTECTED]>; from [EMAIL PROTECTED] on Thu, >Jun 27, 2002 at 09:37:30AM +0200 >Sender: [EMAIL PROTECTED] >Errors-To: [EMAIL PROTECTED] >X-BeenThere: [EMAIL PROTECTED] >X-Mailman-Version: 2.0.8 >Precedence: bulk >List-Help: <mailto:[EMAIL PROTECTED]?subject=help> >List-Post: <mailto:[EMAIL PROTECTED]> >List-Subscribe: ><http://lists.samba.org/listinfo/netfilter>,<mailto:[EMAIL PROTECTED]?subject=subscribe> >List-Id: netfilter user discussion list <netfilter.lists.samba.org> >List-Unsubscribe: ><http://lists.samba.org/listinfo/netfilter>,<mailto:[EMAIL PROTECTED]?subject=unsubscribe> >List-Archive: <http://lists.samba.org/pipermail/netfilter/> > > > On the other hand, if there is not yet a conntrack record in existence > > for the packet, the nat PREROUTING table is consulted > >Patrick > >I appreciate all your help and after thinking about this on my vacation >last week I think I got it now thanks to your feedback! >Can I ask you few questions to verify I got what you said regarding >how a private LAN can use DNS, HTTP, SMTP, etc. thru an SSH-only >firewall?... > >My main confusion I believe was that packets associated with preexisting >conntracks are handled differently than packets *not* associated >with a previous conntrack. > >Q1: The conntrack is the "memory" of netfilter that allows it to make >decisions based on "history" of PC traffic right? > >Q2: Packets with a previous associated conntrack are handled *differently* >than ones >without previous conntrack... and any attempt to try to understand >behavior of firewall *without* this concept is doomed >to confusion right? > >Q3: Is conntrack a new "iptables only" feature? I imagine ancient >ipchains/ipfwadmin >would have had same issues and therefore would need something like >"conntrack" to work correctly right? > >Sincerely, > >Chris >-- >_______________________________________ > >Dr. Christian Seberino >SPAWAR Systems Center San Diego >Code 2363 >53560 Hull Street >San Diego, CA 92152-5001 >U.S.A. > >Phone: (619) 553-7940 >Fax: (619) 553-2836 >Email: [EMAIL PROTECTED] >_______________________________________ > thanks, jd [EMAIL PROTECTED] http://www.taproot.bz _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx
