Am Monday 03 July 2006 22:52 schrieb martin f krafft: > I was surprised today to find an SSH connection from my LAN to the > 'Net surviving a power cycle of my router -- a laptop running sarge > with kernel 2.6 and iptables. > > I have the following two rules first thing in the FORWARD chain: > > -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -m conntrack --ctstate INVALID -j DROP > > to me, this means that SYN packets may pass to the actual rules, and > packets belonging to a connection known to the router are accepted. > During the reboot, the router surely forgot about the existing > connections, so why can the SSH connection persist? Is there some > Linux magic going on? That must be connection pickup. At http://iptables-tutorial.frozentux.net/iptables-tutorial.html search for "pickup". with best regards, Rene -- ------------------------------------------------- Gibraltar firewall http://www.gibraltar.at/
Attachment:
pgpr2sST1u2gQ.pgp
Description: PGP signature