On Fri, 2020-05-08 at 10:52 +1000, Mike Everest wrote:
A quick test proves that connection-state="" is the same as connection-state=invalid,established,related,new,untracked [...] If so, then the resulting behaviour would match your observations, since the rules will match all packets, including 'new' - and your other rules that explicitly relate to 'established' work to maintain valid connections (because it only takes one 'new' input packet to create an established connection)
I will have to think on that ... if that's the case, why don't all SSH connections end up blocked after four packets? Ah - because my "established" rule is processed before my blacklist rules! OK, makes sense. Thanks! But I think I will still fix up those rules. With a deal more confidence :-) Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: CF68 0C56 EEE4 CC19 28D4 03B3 BCE0 E800 E31F 7254 Old fingerprint: 887A DA07 4DCC EE76 B413 27D4 C638 4189 6CF0 D556