With no conntrack how would ipchains know to treat packets of an ESTABLISHED connection differently?
CS On Tue, Jul 09, 2002 at 07:43:42PM +0000, j davis wrote: > > ipchains is not stateful so it doesnt need contrak...right? > jd > > >From: Christian Seberino <[EMAIL PROTECTED]> > >To: Patrick Schaaf <[EMAIL PROTECTED]> > >CC: [EMAIL PROTECTED] > >Subject: Re: how is this stuff getting thru default deny iptables > >firewall?.... > >Date: Tue, 9 Jul 2002 12:08:52 -0700 > >MIME-Version: 1.0 > >Received: from [198.186.203.85] by hotmail.com (3.2) with ESMTP id > >MHotMailBEF485390058400431CEC6BACB5599E90; Tue, 09 Jul 2002 12:32:25 -0700 > >Received: from va.samba.org (localhost [127.0.0.1])by lists.samba.org > >(Postfix) with ESMTPid BD14F424A; Tue, 9 Jul 2002 12:32:11 -0700 (PDT) > >Received: from dt092n42.san.rr.com (dt092n42.san.rr.com [204.210.48.66])by > >lists.samba.org (Postfix) with ESMTP id 8B4534A48for > ><[EMAIL PROTECTED]>; Tue, 9 Jul 2002 12:07:26 -0700 (PDT) > >Received: from seberino by dt092n42.san.rr.com with local (Exim 3.32 #1)id > >17S0M0-0006ST-00; Tue, 09 Jul 2002 12:08:52 -0700 > >From [EMAIL PROTECTED] Tue, 09 Jul 2002 12:33:44 -0700 > >Delivered-To: [EMAIL PROTECTED] > >Message-ID: <[EMAIL PROTECTED]> > >References: <[EMAIL PROTECTED]> > ><20020622173842.AGM19225.mta07-svc.ntlworld.com@there> > ><[EMAIL PROTECTED]> <[EMAIL PROTECTED]> > ><[EMAIL PROTECTED]> > ><[EMAIL PROTECTED]> > >User-Agent: Mutt/1.2.5i > >In-Reply-To: <[EMAIL PROTECTED]>; from [EMAIL PROTECTED] on Thu, > >Jun 27, 2002 at 09:37:30AM +0200 > >Sender: [EMAIL PROTECTED] > >Errors-To: [EMAIL PROTECTED] > >X-BeenThere: [EMAIL PROTECTED] > >X-Mailman-Version: 2.0.8 > >Precedence: bulk > >List-Help: <mailto:[EMAIL PROTECTED]?subject=help> > >List-Post: <mailto:[EMAIL PROTECTED]> > >List-Subscribe: > >><http://lists.samba.org/listinfo/netfilter>,<mailto:[EMAIL PROTECTED]?subject=subscribe> > >List-Id: netfilter user discussion list <netfilter.lists.samba.org> > >List-Unsubscribe: > >><http://lists.samba.org/listinfo/netfilter>,<mailto:[EMAIL PROTECTED]?subject=unsubscribe> > >List-Archive: <http://lists.samba.org/pipermail/netfilter/> > > > > > On the other hand, if there is not yet a conntrack record in existence > > > for the packet, the nat PREROUTING table is consulted > > > >Patrick > > > >I appreciate all your help and after thinking about this on my vacation > >last week I think I got it now thanks to your feedback! > >Can I ask you few questions to verify I got what you said regarding > >how a private LAN can use DNS, HTTP, SMTP, etc. thru an SSH-only > >firewall?... > > > >My main confusion I believe was that packets associated with preexisting > >conntracks are handled differently than packets *not* associated > >with a previous conntrack. > > > >Q1: The conntrack is the "memory" of netfilter that allows it to make > >decisions based on "history" of PC traffic right? > > > >Q2: Packets with a previous associated conntrack are handled *differently* > >than ones > >without previous conntrack... and any attempt to try to understand > >behavior of firewall *without* this concept is doomed > >to confusion right? > > > >Q3: Is conntrack a new "iptables only" feature? I imagine ancient > >ipchains/ipfwadmin > >would have had same issues and therefore would need something like > >"conntrack" to work correctly right? > > > >Sincerely, > > > >Chris > >-- > >_______________________________________ > > > >Dr. Christian Seberino > >SPAWAR Systems Center San Diego > >Code 2363 > >53560 Hull Street > >San Diego, CA 92152-5001 > >U.S.A. > > > >Phone: (619) 553-7940 > >Fax: (619) 553-2836 > >Email: [EMAIL PROTECTED] > >_______________________________________ > > > > > thanks, > jd > > [EMAIL PROTECTED] > http://www.taproot.bz > > _________________________________________________________________ > MSN Photos is the easiest way to share and print your photos: > http://photos.msn.com/support/worldwide.aspx > -- _______________________________________ Dr. Christian Seberino SPAWAR Systems Center San Diego Code 2363 53560 Hull Street San Diego, CA 92152-5001 U.S.A. Phone: (619) 553-7940 Fax: (619) 553-2836 Email: [EMAIL PROTECTED] _______________________________________
