On Fri, 28 Feb 2003 netfilter@tommi.org wrote: > I'm wondering if state doesn't apply to ICMP packets. > > iptables -A FORWARD -p icmp -m state -d 1.2.3.4 --state NEW -j ACCEPT > iptables -A FORWARD -m state --state NEW,INVALID -j REJECT > > if I ping 1.2.3.4 the echo-reply is blocked from 1.2.3.4. Is this normal, I > thought that the echo-reply should be marked RELATED and therefore not > blocked? ICMP echo-reply is not an ICMP error message, it is not RELATED to another connection. You can match is as ESTABLISHED. Regards, Jozsef - E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
