On Fri, Nov 16, 2018 at 6:50 PM Tom Eastep <teas...@shorewall.net> wrote: > > You would see the same thing with other protocols. If you look at the > last entry in the iptrace output that you posted, you will see that the > last rule matched is rule #4 in the chain dmz12-fw which is: > > 10 600 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 > ctstate RELATED,ESTABLISHED > > Since there was a ping flow established before you swapped the cable, > there was an entry in the conntrack table for that flow: > > icmp 1 29 src=192.168.215.200 dst=192.168.215.1 type=8 code=0 id=1 > packets=117 bytes=7020 src=192.168.215.1 dst=192.168.215.200 type=0 code=0 > id=1 packets=117 bytes=7020 mark=0 use=1 > > As long as that entry hasn't timed out (and at the time of the dump, it > wouldn't time out for another 29 seconds), packets matching that entry > will be accepted by rule 4. > > If you had simply stopped pinging for 30 seconds then started pinging > again, those later echo-request packets would have been dropped.
A huge thanks for this explanation! It's really great to know what happens under the hood. Vieri _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users