He was talking about pinging from behind his NAT, it has nothing to do with people pinging him, FYI. -----Original Message----- From: Cedric Blancher [mailto:blancher@xxxxxxxxxxxxxxxxxx] Sent: Wednesday, June 30, 2004 4:51 PM To: Piszcz, Justin Michael Cc: Jozsef Kadlecsik; netfilter Subject: RE: traceroute Le mer 30/06/2004 à 17:21, Piszcz, Justin Michael a écrit : > I do not know where you are getting your info from, but it is clearly > incorrect. >From the source code, I guess, just like I did. You have two type of ICMP handling. On one hand hand, you have request/response ICMP stuff : echo, timestamp, netmask and info. Theses messages are handled with state NEW for request and state ESTABLISHED for answer. So an ICMP echo request has NEW state and related ICMP echo reply is ESTABLISHED. A lonely ICMP echo reply is INVALID. On the other hand, you have ICMP errors, that have RELATED state as long as kernel is able to find to which conntrack entry they belong. Otherwise, they're INVALID. So, if you don't allow ICMP with NEW state in INPUT chain, then no one will be able to ping you. See /usr/src/linux/net/ipv4/netfilter/ip_conntrack_proto_icmp.c file. So you're simply wrong. > I do not allow any ICMP explicitly and I have never had a problem > using NAT or similar. And if you're able to ping anyway, it means you have a rule that implicitly accepts thoses packets, and then should read your ruleset again. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread!
