On Fri, Nov 16, 2018 at 6:50 PM Tom Eastep <teas...@shorewall.net> wrote:
>
> You would see the same thing with other protocols. If you look at the
> last entry in the iptrace output that you posted, you will see that the
> last rule matched is rule #4 in the chain dmz12-fw which is:
>
>    10   600 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0 
>            ctstate RELATED,ESTABLISHED
>
> Since there was a ping flow established before you swapped the cable,
> there was an entry in the conntrack table for that flow:
>
> icmp     1 29 src=192.168.215.200 dst=192.168.215.1 type=8 code=0 id=1 
> packets=117 bytes=7020 src=192.168.215.1 dst=192.168.215.200 type=0 code=0 
> id=1 packets=117 bytes=7020 mark=0 use=1
>
> As long as that entry hasn't timed out (and at the time of the dump, it
> wouldn't time out for another 29 seconds), packets matching that entry
> will be accepted by rule 4.
>
> If you had simply stopped pinging for 30 seconds then started pinging
> again, those later echo-request packets would have been dropped.

A huge thanks for this explanation!
It's really great to know what happens under the hood.

Vieri


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to