le jeu 13-12-2001 à 15:16, Leonardo Rodrigues a écrit : > I understand 'restart the firewall' as a 'iptables -F; iptables -X; > iptables -Z' and not as a really machine reboot. In the case of a > machine reboot, it would be very difficult ( if not impossible ) > guarantee that opened connections would remain opened. Who knows how > much time the machine will take to boot ???? Sure. You can imagine you have a spare firewall for failover using VRRP. Shut down the master, and slave will be acting, with a kind of reseted state. > I've not REAL tested this, but with this simple tests, seems that a > soft restart of the firewall ( 1-2 seconds ) would NOT lost opened > connections, as states are NOT done by directly by ip_tables. > What do you think on that ?? iptables and Netfilter, although they are closely linked, are two seperate things. iptables is a userland tool that aims to configure Netfilter ip_table stuff. Netfilter also provides ip_conntrack, which acts separatly from ip_table. Even if you do not use --match state, having ip_conntrack loaded _will_ classify _all_ connections state. Doing "iptables -F; iptables -X; iptables -Z" will only act on ip_table, but not on ip_conntrack. Nowadays, I am not aware of a tool that can act on ip_conntrack tables (we can grab state table, but not yet act on). The be quick, iptables does not act on ip_conntrack stuff. -- Cédric Blancher Consultant sécurité systèmes et réseaux Cartel Informatique - Groupe CGBI - http://www.cartel-info.fr/ Tél : 01 44 06 97 87 - Fax 01 44 06 97 99
This archive was generated by hypermail 2b30 : Fri Dec 14 2001 - 09:15:19 PST