TheWiseGuyDog And ButterflyPremium,MVMReviews:
East Stroudsburg, PA
|reply to jdong |
Re: D-Link 524 Router: Letting a few packets throu
NAT is not stateful. But technically even in a stateful firewall, if you Close a connection, some packets should be allowed Inbound from the other user. You would need to run a packet sniffer to see if the router is allowing packets it shouldn't or if IPTables was denying those it should have allowed, though both could be Allowing/Denying packets correctly.
see figure 6
Part of whether the firewall allows the packets would depend on how the connection is closed and whether a RST or FIN is sent.
said by Iptables Tutorial 1.1.19:Also timing is important and not absolute.
If the connection is reset by a RST packet, the state is changed to CLOSE. This means that the connection per default have 10 seconds before the whole connection is definitely closed down. RST packets are not acknowledged in any sense, and will break the connection directly.
said by Iptables Tutorial 1.1.19:So while both may be stateful they may have different timeout values for the states.
Here is the complete list of possible states that a TCP stream may take, and their timeout values.
Table 4-2. Internal states
These values are most definitely not absolute. They may change with kernel revisions, and they may also be changed via the proc file-system in the /proc/sys/net/ipv4/netfilter/ip_ct_tcp_* variables. The default values should, however, be fairly well established in practice.
State Timeout value
NONE 30 minutes
ESTABLISHED 5 days
SYN_SENT 2 minutes
SYN_RECV 60 seconds
FIN_WAIT 2 minutes
TIME_WAIT 2 minutes
CLOSE 10 seconds
CLOSE_WAIT 12 hours
LAST_ACK 30 seconds
LISTEN> 2 minutes
These values are set in jiffies (or 1/100th parts of seconds), so 3000 means 30 seconds.
Dog and Butterfly