Miguel Ángel, On Thu, Oct 23, 2014 at 5:56 AM, Miguel Angel Ajo Pelayo <mangel...@redhat.com> wrote: > Temporarily removing this entry doesn't seem like a good solution > to me as we can't really know how long do we need to remove this rule to > induce the connection to close at both ends (it will only close if any > new activity happens, and timeout is exhausted afterwards).
I think you're right here. I think any activity will keep the connection alive in conntrack. So, we are at the mercy of the timeouts at both ends. Assuming an attacker has control over at least the external endpoint, it could be kept "open" indefinitely generating "activity". Carl _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
