On Thu, Aug 31, 2023 at 11:33 AM Jan Engelhardt <jengelh@xxxxxxx> wrote:
> On Thursday 2023-08-31 11:14, Ian Kumlien wrote:
> >
> >Anyway, it turns out that netfilter masq can leak internal information.
> >
> >It was fixed by doing:
> >table inet filter {
> >...
> > chain forward {
> > type filter hook forward priority 0
> > ct state invalid counter drop # <- this one
> >
> >It just seems odd to me that traffic can go through without being NAT:ed
>
> MASQ requires connection tracking; if tracking is disabled for a connection,
> addresses cannot be changed.
I don't disable connection tracking - this is most likely a expired
session that is reused and IMHO it should just be added
> >And since i thought it was quite bad to just drop internal traffic
>
> Now you know why drop policies are in place in every serious installation.
I have never had to use this to prevent internal traffic from getting
out in a non-nat:ed state.
Not with ipfw, ipchains, iptables - I have never seen this behaviour
before, not in 25 years..
