On Sat, Jun 14, 2008 at 08:58:19AM +0200, Vitezslav Kotrla wrote: > Bharath Ramesh píše v Pá 13. 06. 2008 v 21:29 +0200: > > > $IPT --append INPUT --in-interface $EXTIF --protocol icmp --icmp-type 0 \ > > --destination $EXTIP --match state --state NEW,ESTABLISHED,RELATED \ > > --jump ACCEPT > > A side note: I wonder how much use is "--match state" in ICMP context. > (Well, I can't see any icmp entries in /proc/net/ip_conntrack anyway). > You might want to consult debian-firewall list. ICMP could be related to different tcp / udp streams for example you might allow in ftp via the firewall, but not have a ftpd server running. So the icmp that is generated from a failed attemped is related to the original tcp stream. the op should probably have 1 line at the top of the chaine for ESTABLISHED,RELATED to cover all the est/related packets > > Vit > > > -- > To UNSUBSCRIBE, email to debian-amd64-REQUEST@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org > > -- "You see, not only did the attacks help accelerate a recession, the attacks reminded us that we are at war." - George W. Bush 06/08/2005 Washington, DC
Attachment:
signature.asc
Description: Digital signature