Least disruptive way to reset TCP connections when a firewall rule is enabled

cogstrail · October 25, 2024, 11:13pm

I have a firewall rule blocking all Internet traffic for a robot vac when it's not in use. (It talks way too much to China.) The rule is easily enabled and disabled using the Custom Commands LuCi package which works great.

When the firewall rule to block Internet access is enabled, the vacuum's existing TCP connections are unaffected and traffic continues even after the firewall is restarted. I've been using the conntrack -F command to flush the conntrack table so the firewall rule rule can take full effect, but that command impacts TCP connections for all devices.

Is there a less disruptive way of interrupting existing TCP connections to my robot vac that won't effect all devices?

Thanks.

brada4 · October 25, 2024, 11:15pm

You can add filter to conntrak.f -s 192.168.1.256

cogstrail · October 25, 2024, 11:33pm

That's the fix!. Thanks much.

Exact syntax for anyone that comes across this:

conntrack -D -s <IP> - to delete source entries
conntrack -D -d <IP> - for destination entries

brada4 · October 26, 2024, 8:50am

Also -D -q <ip>
REF: https://wiki.nftables.org/wiki-nftables/index.php/Matching_connection_tracking_stateful_metainformation

system · November 5, 2024, 8:50am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.