SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0002687: drop rules do not block connections which are already ESTABLISHED - MantisBT Endian Bugtracker
Endian Issue Tracker

Please see now our new Bugtracker system: JIRA

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0002687Endian FirewallFirewall (iptables)public2010-02-15 14:282011-02-02 09:09
Assigned Topeter-endian 
PlatformOSOS Version
Product Version2.3 
Target VersionfutureFixed in Version 
Summary0002687: drop rules do not block connections which are already ESTABLISHED
DescriptionWe have setup a rule to allow SMB-All from a server in ORANGE to a server in GREEN.
All works fine. We copied some files and after that we disabled the rule.

After disabling the rule all SMB traffic is still allowed. See also connections in status screen with port 445.

We have to logout and login at the server in ORANGE to have no access to the server at GREEN.

So it looks like disabling the rule does not affect to sessions that exists.
All SMB session should be killed if we disable a SMB rule.
TagsNo tags attached.
Attached Files

- Relationships
related to 0000183confirmedpeter-endian Kill Session option 

-  Notes
peter-endian (administrator)
2010-02-15 16:11

firewall rules affect only the connection initiation. due to the statefulness established connections will not be blocked.

Can't change this easily, otherwise we degrade firewall performance and remove statefulness

Killing every established connection affected by a rule is not that easy also, since we can't identify them only with the rule-information, because they are not that specific most of the time.

We can implement an option to kill an established connection manually, through connections.cgi
aender (reporter)
2010-02-15 16:16

Yes. Please implement something like that.

Is there a workaround possible? Maybe a command at the shell to kill established connections?
luca-endian (developer)
2010-02-15 16:58

conntrack -F

- Issue History
Date Modified Username Field Change
2010-02-15 14:28 aender New Issue
2010-02-15 16:11 peter-endian Note Added: 0003796
2010-02-15 16:11 peter-endian Status new => confirmed
2010-02-15 16:11 peter-endian Target Version => future
2010-02-15 16:13 peter-endian Summary SMB traffic still allowed after disable a rule => drop rules do not block connections which are already ESTABLISHED
2010-02-15 16:16 aender Note Added: 0003798
2010-02-15 16:58 luca-endian Note Added: 0003799
2010-03-10 17:42 peter-endian Relationship added related to 0000183
2011-02-02 09:07 lorenzo-endian Customer Occurencies => 0
2011-02-02 09:07 lorenzo-endian Assigned To => peter-endian
2011-02-02 09:09 lorenzo-endian Severity major => feature

Copyright © 2005-2008 Endian, SRL. All rights reserved.

Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker