also sprach Ralf Döblitz <ralf@doeblitz.net> [2006.07.04.0927 +0200]:
> After reboot the packets of your SSH connection were not known to belong to
> an established connection but fell through to your set of filter rules.
How? I load the DROP rules before the ACCEPT ones. I can't think of
a way this would be possible.
> am sure that they were accepted there,
Yes, if they ever got there.
Many people have rules like
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
I've done research and found that
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
is the same, meaning that the INVALID state matches all non-SYN
packets at this point.
Still surprised,
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <madduck@debian.org>
: :' : proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have better things to do than fixing a system
"in a country where the sole employer is the state, opposition means
death by slow starvation. the old principle: who does not work shall
not eat, has been replaced by a new one: who does not obey shall not
eat."
-- leon trotsky, 1937
Attachment:
signature.asc
Description: Digital signature (GPG/PGP)