[Shorewall-users] Clearing the state tables in Redhat Linux V9

Tom Eastep teastep at shorewall.net
Fri Aug 22 15:09:35 PDT 2003


On Fri, 2003-08-22 at 06:58, Tom Eastep wrote:
> On Fri, 2003-08-22 at 06:55, Gonzalo Servat wrote:
> 
> > 
> > Is this because of the ip_conntrack state tables?
> > 
> 
> I wouldn't think so...

I reread your post and now understand what you were saying. I though you
were objecting to the fact that new connections were rejected when what
you were actually concerned about was the fact that existing connections
continue to work.

You are correct that this is related to connection tracking state. With
a large list of MAC addresses to filter, MAC filtering would be quite
expensive if it were done on every incoming packet. To reduce the
expense, I therefore only check MAC addresses on new connection
attempts.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net



More information about the Shorewall-users mailing list