Hi Marco, on my OpenBSD-Firewall with ipf I configured the same thing and it works. I don't know how they've set it up, but my box then keeps state for icmp... So there must be some way... Greetings, Ralf Marco Ahrendt schrieb:
Hi all,
after looking at Marc's firewall script I'm wondering about this line:
$IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state ESTABLISHED,RELATED -p icmp --icmp-type $TYPE
There are much more lines where the state module is used on icmp packets. I thought the icmp packets had no flags like syn/ack/fin etc. who allows connection tracking? Did I missunderstand anything? I'm using my own iptables script and now I wanted to add some icmp rules for accepting icmp-type *unreachable* packets from the internet. If there is the chance to use connection tracking on icmp packets this would be very fine but I can't imagine how iptables could grep the state when not finding any flags.
Marco
-- Marco Ahrendt phone : +49-341-98-474-0 adconsys AG fax : +49-341-98-474-59 Karl-Liebknecht-Str. 19 email : marco.ahrendt@adconsys.de 04107 Leipzig/Germany gnupg key at www.aktex.net/marco_work.asc
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com