Re: Strange Network/Firewall problem

To: debian-amd64@lists.debian.org
Cc: Stefan Lüthje <stefan+list@luethje.ch>
Subject: Re: Strange Network/Firewall problem
From: vitko <vitk0@seznam.cz>
Date: Mon, 30 Jan 2006 08:06:04 +0100
Message-id: <[🔎] 43DDBADC.8070603@seznam.cz>
In-reply-to: <[🔎] 38141.192.168.71.1.1138220438.squirrel@speedy.luethje.ch>
References: <[🔎] 38141.192.168.71.1.1138220438.squirrel@speedy.luethje.ch>

Stefan Lüthje napsal(a):

...

is called by:

iptables -A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT

...

When I ping a machine in the internet, I see the following result on tcpdump:

19:35:24.866434 IP 21x.8x.7x.7x > 21x.18x.14x.10x: ICMP echo request, id
46871, seq 1536, length 64
19:35:24.898032 IP 21x.18x.14x.10x > 21x.8x.7x.7x: ICMP echo reply, id
46871, seq 1536, length 64

But on the log I see the following:

Jan 25 19:35:24 speedy kernel: denied: IN=ppp0 OUT= MAC=
SRC=21x.18x.14x.10x DST=21x.8x.7x.7x LEN=84 TOS=0x00 PREC=0x00 TTL=58
ID=11184 PROTO=ICMP TYPE=0 CODE=0 ID=46871 SEQ=1536

My question: Why will this packet not accepted by the ACCEPT state rule
withe the 2.6.15 kernel?


I'm not sure you can speak about RELATED and ESTABLISHED in the context of ICMP;
if I'm not mistaken this is stateless affair.

I've got dedicated rule for ICMP only in my firewall scripts, something like

   iptables -A INPUT -i ppp0 -p ICMP --icmp-type echo-request -j ACCEPT

Hope this helps you.

Please someone correct me if I'm wrong (but it works for me anyway).

Vit

Reply to:

References:
- Strange Network/Firewall problem
  - From: Stefan Lüthje <stefan+list@luethje.ch>

Prev by Date: GPG error when apt-get update
Next by Date: Re: GPG error when apt-get update
Previous by thread: Strange Network/Firewall problem
Next by thread: Bug#349900: gkrelldnet: FTBFS missing gkrellm.h
Index(es):
- Date
- Thread