Re: ip_conntrack

To: debian-firewall@lists.debian.org
Cc:
Subject: Re: ip_conntrack
From: Blars Blarson <blarson@blars.org>
Date: Tue, 10 Feb 2004 11:05:28 -0800
Message-id: <[🔎] 200402101905.i1AJ5Sk6032124@renig.nat.blars.org>
In-reply-to: <[🔎] 20040210134500.GA22460@klub.org>
References: <[🔎] 4028CAB5.7080607@uni-paderborn.de> <[🔎] 4028CAB5.7080607@uni-paderborn.de>

In article <[🔎] 20040210134500.GA22460@klub.org> rory@klub.org writes:
>On Tue, Feb 10, 2004 at 01:12:37PM, Bjoern Schmidt wrote:
>> It is possible to clear all ore one entries in /proc/net/ip_conntrack
>> without a reboot? I know there is a timeout, but i would like to remove
>> them immediately if needed.

>As far as I'm aware, you can remove all, but not just one. If you
>/really/ need to do that, you're going to need to investigate sending
>spoofed RST packets, which can get rather hairy...

For tcp connections, you can use the cutter command (in the package of
the same name) to send the RST packets.  I just got a bug report about
it with a 2.6 kernel, so it may only work with 2.4 kernels for now.
Backporting to woody is a simple recompile.
-- 
Blars Blarson			blarson@blars.org
				http://www.blars.org/blars.html
With Microsoft, failure is not an option.  It is a standard feature.

Reply to:

References:
- ip_conntrack
  - From: Bjoern Schmidt <bj-schmidt@uni-paderborn.de>
- Re: ip_conntrack
  - From: Rory Irvine <rory@klub.org>

Prev by Date: Re: Writing rules based on program emitting/receiving paquet
Next by Date: Firewall script help
Previous by thread: Re: ip_conntrack
Next by thread: new comer
Index(es):
- Date
- Thread