SuSEfirewall2 / iptables
Hi all, after looking at Marc's firewall script I'm wondering about this line: $IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state ESTABLISHED,RELATED -p icmp --icmp-type $TYPE There are much more lines where the state module is used on icmp packets. I thought the icmp packets had no flags like syn/ack/fin etc. who allows connection tracking? Did I missunderstand anything? I'm using my own iptables script and now I wanted to add some icmp rules for accepting icmp-type *unreachable* packets from the internet. If there is the chance to use connection tracking on icmp packets this would be very fine but I can't imagine how iptables could grep the state when not finding any flags. Marco -- Marco Ahrendt phone : +49-341-98-474-0 adconsys AG fax : +49-341-98-474-59 Karl-Liebknecht-Str. 19 email : marco.ahrendt@adconsys.de 04107 Leipzig/Germany gnupg key at www.aktex.net/marco_work.asc
Hi Marco, on my OpenBSD-Firewall with ipf I configured the same thing and it works. I don't know how they've set it up, but my box then keeps state for icmp... So there must be some way... Greetings, Ralf Marco Ahrendt schrieb:
Hi all,
after looking at Marc's firewall script I'm wondering about this line:
$IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state ESTABLISHED,RELATED -p icmp --icmp-type $TYPE
There are much more lines where the state module is used on icmp packets. I thought the icmp packets had no flags like syn/ack/fin etc. who allows connection tracking? Did I missunderstand anything? I'm using my own iptables script and now I wanted to add some icmp rules for accepting icmp-type *unreachable* packets from the internet. If there is the chance to use connection tracking on icmp packets this would be very fine but I can't imagine how iptables could grep the state when not finding any flags.
Marco
-- Marco Ahrendt phone : +49-341-98-474-0 adconsys AG fax : +49-341-98-474-59 Karl-Liebknecht-Str. 19 email : marco.ahrendt@adconsys.de 04107 Leipzig/Germany gnupg key at www.aktex.net/marco_work.asc
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Connection tracking doesn't use flags to determine if a connection was startet from inside or outside - and this is the big advantage over ipchains. If a packet is sent out to initiate a new connection, an entry is being written to the connection table to keep track of the connection and possibly allow the reply froom outside. UDP doesn't use flags, too, and you can keep track of those sessions as well as icmp's. Björn ---------------------------------- E-Mail: Bjoern Engels <bengels@lanworks.de> Date: 03-Apr-01 Time: 08:12:47 ----------------------------------
On Tue, Apr 03, 2001 at 08:18:21AM +0200, Bjoern Engels wrote:
Connection tracking doesn't use flags to determine if a connection was startet from inside or outside - and this is the big advantage over ipchains. If a packet is sent out to initiate a new connection, an entry is being written to the connection table to keep track of the connection and possibly allow the reply froom outside. UDP doesn't use flags, too, and you can keep track of those sessions as well as icmp's.
I don´t think so. According to some threads in netfilter-ml the connection tracking code currently requires a udp packet in both directions before considering a connection to be established. Therefor how it is possible to conntrack icmp if there are only 2 packets? Ping and reply for example? Marco -- Marco Ahrendt phone : +49-341-98-474-0 adconsys AG fax : +49-341-98-474-59 Karl-Liebknecht-Str. 19 email : marco.ahrendt@adconsys.de 04107 Leipzig/Germany gnupg key at www.aktex.net/marco_work.asc
participants (3)
-
Bjoern Engels -
Marco Ahrendt -
Ralf Ronneburger