drop packetu uz zavreneho spojeni

Čtvrtek Prosinec 1 17:05:20 CET 2005

[At 01.12.2005 14:19, Peter Surda kindly sent the following quotation.]

>On Thu, 01 Dec 2005 10:05:05 +0100 Vlada Macek <tuttle na bbs.fsik.cvut.cz> wrote:
>  
>
>>Mam netfilter serveru nastaveny na blokaci odchozich spojeni, na zacatku
>>retezu OUTPUT je obvyklé "RELATED,ESTABLISHED -j ACCEPT". Nekolikrat
>>denne mi ale server zahodi odchozi paket ukoncujici spojeni iniciovane
>>puvodne klientem.
>>    
>>
>Skus
>sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_be_liberal=1
>  
>

Diky za tip, nicmene

# sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_be_liberal=1
error: 'net.ipv4.netfilter.ip_conntrack_tcp_be_liberal' is an unknown key

Mozna je to tim, ze pouzivam jadro 2.4? To je asi jedno, stejne se mi
zda, ze tohle nastaveni mi nepomuze:

http://ipsysctl-tutorial.frozentux.net/chunkyhtml/netfilterreference.html#AEN673

    3.7.3. ip_ct_tcp_be_liberal

    This variable changes the behaviour in the state machine regarding
    TCP out of window packets. If this variable is turned off, all of
    the out of window packets are regarded as INVALID in the state
    machine. If it is turned on, the behaviour is much more liberal and
    only considers out of window RST packets as INVALID. It should
    generally be a good thing to go with this variable turned off, and
    should only be required to turn off during special occasions.

    The ip_ct_tcp_be_liberal variable takes a boolean value and is per
    default set to 0, or turned off. All out of window packets are in
    other words considered as INVALID. As already stated, this should in
    most cases be the wanted behaviour.

asdfqwefqw Ja nevim, jestli jsou ty pakety oznacovane za INVALID, ale
vadi mi, ze uz nejsou ESTABLISHED a to by podle me nezaridilo ani toto
nastaveni. Ptal jsem se, jak muzu zaridit, aby ESTABLISHED byly, jak je
to spravne.

-- 

\//\/\
(Sometimes credited as 1494 F8DD 6379 4CD7 E7E3 1FC9 D750 4243 1F05 9424.)