FW: block + kill connections



My apology. Inadvertantly send to the individual rather than the list.
Some list managers think that this is good. I do not.
Mike.
--
Michael D. Berger
m.d.berger@xxxxxxxx

> -----Original Message-----
> From: Michael D. Berger [mailto:m.d.berger@xxxxxxxx]
> Sent: Sunday, January 08, 2006 5:47 PM
> To: '/dev/rob0'
> Subject: RE: block + kill connections
>
>
> [...]
> > On Sunday 2006-January-08 16:04, Robert Nichols wrote:
> > > > iptables -I INPUT -s 1.2.3.4 -j DROP
> >
> > > That will prevent communication by blocking any further incoming
> > > packets, but won't do anything to tear down the connection. See
> >
> > Actually it would drop anything with a source address of
> > 1.2.3.4 which
> > happens to hit the filter INPUT chain, regardless of protocol
> > or state.
> > Perhaps the issue is as I suggested, the packets are
> hitting FORWARD,
> > or simply that a blocked connection has not yet timed out of
> > conntrack
> > or netstat listings.
> > --
> > mail to this address is discarded unless "/dev/rob0"
> > or "not-spam" is in Subject: header
> >
> >
>
> I have the same problem. I DROP in the INPUT chain, but the
> connection
> stays up and receives more junk.
>
> There is no confusion with the FORWARD chain. I have
> :FORWARD DROP [0:0],
> and that is it. I do not forward anything.
>
> I like the suggestion in a previous post:
>
> iptables -I INPUT -s 1.2.3.4 -p tcp --tcp-flags ! FIN,RST
> NONE -j REJECT
> --reject-with tcp-reset
>
> however, I DROP from a libipq daemon, and REJECT does not
> appear to be an
> option. I could accomplish it if I could set the MARK from
> the daemon, but
> this is not possible in the version I have, although it is
> possible in later
> versions.
>
> I await admonition by those more knowledgeable than I.
>
> Mike.
> --
> Michael D. Berger
> m.d.berger@xxxxxxxx
>
>


--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list



Relevant Pages

  • RE: two boxes, one updates correctly
    ... > Reading repository metadata in from local files ... > Mike. ... > Michael D. Berger ...
    (Fedora)
  • RE: news reader
    ... >> What application is recommended for using usenet in FC4? ... >> Mike. ... >> Michael D. Berger ...
    (Fedora)
  • logrotate and swatch
    ... After the logrotate event, the monitoring stopped. ... Mike. ... Michael D. Berger ...
    (RedHat)
  • Which UDP Port to Use?
    ... port number? ... Mike. ... Michael D. Berger ...
    (RedHat)
  • Re: What Did You Watch? 2011-08-11 (Thursday) SPOILERS
    ... Burn Notice -- Fi tells Michael she knows someone who can get them info on who made the bomb. ... Harvey puts Mike in charge of helping one of the firm's clients with his estranged daughter. ... Back at the station, as leads are developed about the bank robber amid the raging poker game, there is no one to follow up so Andy is forced to call an off-duty Luke who is drinking at the same bar as Dov and Susie. ...
    (rec.arts.tv)