On Tue, Apr 03, 2001 at 02:01:44PM +0200, christian.burri@synecta.ch wrote:
(through an Echo_Request, of course). If there is an entry in the table, then netfilter could let the ICMP packet pass. If theres no entry in the table, then either noone actually requested that packet or the ping simply took to long to complete (I guess theres a timeout removing table entries which havent been referred to in the past (n) minutes) and thus gets discarded.
Correct me if Im wrong =P
argl.. ;-) After reading the manpage 2-3 times I had found it. [...] no known connection, ESTABLISHED meaning that the packet is associated with a connection which has seen packets in both directions, NEW meaning that the packet has started a new connection, or other wise associated with a connection which has not seen packets in both directions, and RELATED mean ing that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error. [...] I assume, using --state ESTABLISHED is senseless on icmp packets. Only matching --state RELATED packets is the solve for accepting icmp-errors for an already outgoing icmp-packet like icmp-echo-request. ;-) Marco -- Marco Ahrendt phone : +49-341-98-474-0 adconsys AG fax : +49-341-98-474-59 Karl-Liebknecht-Str. 19 email : marco.ahrendt@adconsys.de 04107 Leipzig/Germany gnupg key at www.aktex.net/marco_work.asc