Thanks for you attention A response coming from another ip is exactly what happens in DCC protocol of IRC, and the module nf_conntrack_irc.ko and nf_nat_irc.ko make it possible by using in the source ip of the expectation the address 0.0.0.0 which works like a wildcard. Best Regards Hugo Mendes ________________________________________ De: Leonardo Rodrigues [leolistas@xxxxxxxxxxxxxx] Enviado: sexta-feira, 24 de Julho de 2009 21:16 Para: Hugo Miguel Mendes Cc: netfilter-devel@xxxxxxxxxxxxxxx Assunto: Re: NTP server Hugo Miguel Mendes escreveu: > Dear all, > > I'm running netfilter on a router operating OpenWRT Kamikaze 8.09, kernel 2.6.25.17. > > I have two computers on the router LAN which are programmed to get the time from an NTP server. This NTP server has a load balancing mechanism, so the computer that responds to the NTP request is not the same to where was sent the request. So the response is blocked by netfilter, because that connection wasn't started from the LAN. But the NTP server always keeps the same ports and always listens on port 123. So if you make the request from port 1024 to the port 123 of the server the response will come from 123 to 1024. the load balancing mechanism for this NTP server is fucking broke. The load balancing mechanism is the one that should be fixed, not your netfilter module. this kind of responde, coming from another ip, wont be allowed by any possible firewall, which in the last 6-7-8 years probably, are all statefull ones. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertrudes@xxxxxxxxxxxxxx My SPAMTRAP, do not email it-- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html