Accepting ESTABLISHED connections before first rule

Brought to you by: mikehorn

Accepting ESTABLISHED connections before first rule

Forum: Open Discussion

Creator: Heiri Müller

Created: 2015-06-26

Updated: 2015-07-09

Heiri Müller - 2015-06-26

Hello,

This is a thing, I really don't understand: Lets say, I have one rule in FWBuilder. A Catch All rule:

Which compiles to:
$IPTABLES -A OUTPUT -j ACCEPT
$IPTABLES -A INPUT -j ACCEPT
$IPTABLES -A FORWARD -j ACCEPT

Leaving the default values, the network now works. I'm connected.
The problem for me is, that I want to do a lot of connection tracking/byte counting ("connbytes"). So I can't accept, that by default, every ESTABLISHED connection fires a rule right before my own rules defined in FWBuilder. To change that, there's a switch in the compiler preferences:

Accept ESTABLISHED and RELATED packets before the first rule

If I now don't accept ESTABLISHED and RELATED packets before the first rule anymore, meaning, I unselect that switch, like in the picture above, no connection at all leaves my computer anymore:

sendTo: Operation not permitted

If I make my catch-all rule stateless, like in this picture:

Then, everything goes back to normal.

Can anybody explain me, what's going on?

Thanks

P.S: I don't drop packets, which are not associated with any connection.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Heiri Müller - 2015-07-09

I found the solution:
1. I desactivated that function in the Panel.
2. I added the rules myself after my bytes accounting checks.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.