On Thursday 2023-08-31 11:14, Ian Kumlien wrote:
>
>Anyway, it turns out that netfilter masq can leak internal information.
>
>It was fixed by doing:
>table inet filter {
>...
> chain forward {
> type filter hook forward priority 0
> ct state invalid counter drop # <- this one
>
>It just seems odd to me that traffic can go through without being NAT:ed
MASQ requires connection tracking; if tracking is disabled for a connection,
addresses cannot be changed.
>And since i thought it was quite bad to just drop internal traffic
Now you know why drop policies are in place in every serious installation.
