All of lore.kernel.org
 help / color / mirror / Atom feed
* what is conntrack & how ipchains works without it?!?
@ 2002-07-10 16:50 Christian Seberino
  2002-07-10 17:10 ` Ramin Alidousti
  0 siblings, 1 reply; 2+ messages in thread
From: Christian Seberino @ 2002-07-10 16:50 UTC (permalink / raw)
  To: netfilter

Is conntrack the "memory" of iptables that allows
it to make filtering decisions based on history
of network traffic in and out of PC???

Imagine a private LAN PC trying to do DNS thru
an SSH-only DNAT/SNAT firewall... it is the conntrack
that allows ESTABLISHED/RELATED packets to bypass
the rules allowing DNS to work right?

How can *ipchains* do DNS thru an SSH-only ipchains
firewall since it does *not* have conntrack!!!
It must have some other mechanism right? What?

Chris
-- 
_______________________________________

Dr. Christian Seberino
SPAWAR Systems Center San Diego
Code 2363
53560 Hull Street
San Diego, CA 92152-5001
U.S.A.

Phone: (619) 553-7940
Fax:   (619) 553-2836
Email: seberino@spawar.navy.mil
_______________________________________


^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: what is conntrack & how ipchains works without it?!?
  2002-07-10 16:50 what is conntrack & how ipchains works without it?!? Christian Seberino
@ 2002-07-10 17:10 ` Ramin Alidousti
  0 siblings, 0 replies; 2+ messages in thread
From: Ramin Alidousti @ 2002-07-10 17:10 UTC (permalink / raw)
  To: Christian Seberino; +Cc: netfilter

On Wed, Jul 10, 2002 at 09:50:44AM -0700, Christian Seberino wrote:

> Is conntrack the "memory" of iptables that allows
> it to make filtering decisions based on history
> of network traffic in and out of PC???
> 
> Imagine a private LAN PC trying to do DNS thru
> an SSH-only DNAT/SNAT firewall... it is the conntrack

What is a SSH-only firewall?

> that allows ESTABLISHED/RELATED packets to bypass
> the rules allowing DNS to work right?
> 
> How can *ipchains* do DNS thru an SSH-only ipchains
> firewall since it does *not* have conntrack!!!
> It must have some other mechanism right? What?

In case of ipchains you have to open up the firewall manually for
the return traffic which usually translates into a much larger hole
than needed.

Again, what is a SSH-only firewall?

Ramin

> 
> Chris
> -- 
> _______________________________________
> 
> Dr. Christian Seberino
> SPAWAR Systems Center San Diego
> Code 2363
> 53560 Hull Street
> San Diego, CA 92152-5001
> U.S.A.
> 
> Phone: (619) 553-7940
> Fax:   (619) 553-2836
> Email: seberino@spawar.navy.mil
> _______________________________________


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2002-07-10 17:10 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2002-07-10 16:50 what is conntrack & how ipchains works without it?!? Christian Seberino
2002-07-10 17:10 ` Ramin Alidousti

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.