Re: MASQ leak?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Thursday 2023-08-31 11:14, Ian Kumlien wrote:
>Anyway, it turns out that netfilter masq can leak internal information.
>It was fixed by doing:
>table inet filter {
>       chain forward {
>               type filter hook forward priority 0
>                ct state invalid counter drop # <- this one
>It just seems odd to me that traffic can go through without being NAT:ed

MASQ requires connection tracking; if tracking is disabled for a connection,
addresses cannot be changed.

>And since i thought it was quite bad to just drop internal traffic

Now you know why drop policies are in place in every serious installation.

[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux