On Tuesday 30 March 2004 4:16 pm, Peggy Kam wrote: > > Not sure quite what you by "in front or behind", however I can tell you > > that tcpdump works "closer to the wire" than netfilter, so it will see > > all traffic hitting the interface, whether netfilter allows it or not. > > As you have said that all traffic hitting the interface is seen whether > netfilter allows it or not, my question was how do I know whether the > packets being sent get blocked? 1. If it's a routing firewall, see if the packets come out the other side (tcpdump on both interfaces). 2. If it's not a routing firewall, see if any response packets come back again (for TCP). 3. Put a LOG rule in your ruleset just before DROPping the packets, so you know what got DROPped. 4. If you're really interested in this sort of thing, you might want to investigate http://www.snort.org Regards, Antony. -- Abandon hope, all ye who enter here. You'll feel much better about things once you do. Please reply to the list; please don't CC me.
