RE: traceroute

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



He was talking about pinging from behind his NAT, it has nothing to do with people pinging him, FYI.


-----Original Message-----
From: Cedric Blancher [mailto:blancher@xxxxxxxxxxxxxxxxxx] 
Sent: Wednesday, June 30, 2004 4:51 PM
To: Piszcz, Justin Michael
Cc: Jozsef Kadlecsik; netfilter
Subject: RE: traceroute

Le mer 30/06/2004 à 17:21, Piszcz, Justin Michael a écrit :
> I do not know where you are getting your info from, but it is clearly
> incorrect.

>From the source code, I guess, just like I did.

You have two type of ICMP handling. On one hand hand, you have
request/response ICMP stuff : echo, timestamp, netmask and info. Theses
messages are handled with state NEW for request and state ESTABLISHED
for answer. So an ICMP echo request has NEW state and related ICMP echo
reply is ESTABLISHED. A lonely ICMP echo reply is INVALID. On the other
hand, you have ICMP errors, that have RELATED state as long as kernel is
able to find to which conntrack entry they belong. Otherwise, they're
INVALID.

So, if you don't allow ICMP with NEW state in INPUT chain, then no one
will be able to ping you.

See /usr/src/linux/net/ipv4/netfilter/ip_conntrack_proto_icmp.c file.

So you're simply wrong.

> I do not allow any ICMP explicitly and I have never had a problem
> using NAT or similar.

And if you're able to ping anyway, it means you have a rule that
implicitly accepts thoses packets, and then should read your ruleset
again.


-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux