|
ru.linux
- RU.LINUX ---------------------------------------------------------------------
From : Ramazan Ja-Far 2:5020/400 24 Oct 2002 03:31:52
To : Ruslan Kazansky
Subject : Re: iptables -m state & New !SYN
--------------------------------------------------------------------------------
Hi!
On Sat, 19 Oct 2002 21:39:41 +0400, Ruslan Kazansky wrote:
RK>Использую ядро 2.4.18, iptables v1.2.6a.
...
RK>Также замечено, что статус "netstat -neoA inet" отличается от "cat
RK>/proc/net/ip_conntrack".
RK>Т.е. состояние ip_conntrack не отражает реального состояния
RK> TCP-соединений!
RK>Является ли такое явление нормальным?
Цитирую http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html
The important point here is that the conntrack states
are not equivalent to tcp states...
The representation of the tcp connection states in the
state table is purely for timeouts. You can prove this
to yourself by sending an ACK packet through your
firewall to a non-existent machine (so that you don't
get the RST back). It will create a state table entry
no problem because it it is the first packet of a
connection and so is treated as NEW (the entry will
not be marked as ASSURED though).
--
Bye!
Ramazan
--- ifmail v.2.15dev5
* Origin: Svit Online (post does not reflect views of Golden Tele (2:5020/400)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
| Тема: |
Автор: |
Дата: |
|
Re: iptables -m state & New !SYN |
Ramazan Ja-Far |
24 Oct 2002 03:31:52 |
|
|
