Le ven 28/02/2003 à 11:37, netfilter@tommi.org a écrit : > I'm wondering if state doesn't apply to ICMP packets. It applies. > iptables -A FORWARD -p icmp -m state -d 1.2.3.4 --state NEW -j ACCEPT > iptables -A FORWARD -m state --state NEW,INVALID -j REJECT > if I ping 1.2.3.4 the echo-reply is blocked from 1.2.3.4. Is this normal, I > thought that the echo-reply should be marked RELATED and therefore not > blocked? Nope. In fact, you can separate ICMP messages in two categories : . ICMP errors . standelone ICMP ICMP errors are related to an existing IP flow. As such, conntrack engine flags them as RELATED. Standelone ICMP (ping, netmask, timestamp and info, cf. ip_conntrack_proto_icmp.c) are not related to IP flow, and are flagged using NEW/ESTABLISHED states. If you ping someone, echo-request is NEW, echo-reply is ESTABLISHED. -- Cédric Blancher <blancher@cartel-securite.fr> IT systems and networks security expert - Cartel Sécurité Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
