I was surprised today to find an SSH connection from my LAN to the 'Net surviving a power cycle of my router -- a laptop running sarge with kernel 2.6 and iptables. I have the following two rules first thing in the FORWARD chain: -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m conntrack --ctstate INVALID -j DROP to me, this means that SYN packets may pass to the actual rules, and packets belonging to a connection known to the router are accepted. During the reboot, the router surely forgot about the existing connections, so why can the SSH connection persist? Is there some Linux magic going on? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <firstname.lastname@example.org> : :' : proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system consciousness: that annoying time between naps.
Description: Digital signature (GPG/PGP)