On Wed, 2004-10-13 at 14:24, Juan L. Pastor wrote: > On Tue, 2004-10-12 at 21:42, Alexander Dalloz wrote: > > > > -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT > > > > You drop all other ICMP types other than echo (=8). That is bad. ICMP is > > an important protocol and blocking specific types will break things! If > > you don't know for sure why you block a specific ICMP type then just > > don't. You gain no security. > > So I guess I should change this line with: > > -A INPUT -p icmp -j ACCEPT > > Is this OK? Actually I would prefer that ICMP Type 8 is dis-allowed only. > > > > Oct 12 21:18:52 kalimotxo kernel: Bad packet from eth0:IN=eth0 OUT= > > > MAC=00:50:8d:e3:19:cb:00:90:d0:bc:56:db:08:00 SRC=62.48.113.158 > > > DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=118 ID=21077 PROTO=TCP > > > SPT=4662 DPT=36569 WINDOW=0 RES=0x00 ACK RST URGP=0 > > > > > > I think these are acknowledge packets, and they should be accepted (BTW, > > > 4662 is my TCP port for amule). Why are they not accepted by the above > > > rules (state ESTABLISHED) and how can I accept these dropped packets? > > > > What tells you that these are ESTABLISHED (or RELATED) connections? If > > they would be, then they would not go to the LOGDROP chain. If running a > > P2P client such connection attempts are pretty normal. This is how P2P > > works. > > If this are ACK packets, I assume that they are response to a previously > established communication. How can I let this packets come into my Based on the logs, yes they would seem to be ACK packets, but look at the DST, these are supposed to be NON-routeable addresses 192.168.x.x, which I think _should_ be rejected. Unless you are running NAT and you're doing DNAT. (?) are you? -- Ow Mun Heng Fedora GNU/Linux Core 2 on D600 1.4Ghz CPU kernel 2.6.7-2.jul1-interactive Neuromancer 14:38:00 up 5:26, 4 users, load average: 0.87, 0.76, 0.52
