I do not know if this issue has been raised yet. On a TCP or UDP protocol, if there are communication problems a ICMP "responses" are generated. Does conntrack handle all ICMP "responses" correctly? The responses that I can think of are: 3 Destination Unreachable 11 Time to live Exceeded 4 Source Quench The reason why I am asking is that I have a rules such as: -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT .... -A OUTPUT -j RULE_DROP -A INPUT -j RULE_DROP -A FORWARD -j RULE_DROP -A RULE_DROP -m limit --limit 5/second -j LOG --log-level info --log-prefix "RULE DROP -- " -A RULE_DROP -j DROP And I still see ICMP types which should be handled by conntrack in the log file as, such as: May 16 12:04:23 fw RULE DROP -- IN=eth0 OUT=eth1 SRC=68.121.146.134 DST=62.53.192.175 LEN=56 TOS=0x00 PREC=0xE0 TTL=42 ID=44796 PROTO=ICMP TYPE=3 CODE=3 [SRC=62.53.192.175 DST=68.121.146.134 LEN=85 TOS=0x00 PREC=0x00 TTL=98 ID=47689 PROTO=UDP SPT=45585 DPT=65000 LEN=65 ] May 16 12:07:12 fw RULE DROP -- IN=eth0 OUT=eth1 SRC=68.0.95.18 DST=62.53.192.175 LEN=76 TOS=0x00 PREC=0xE0 TTL=49 ID=65337 PROTO=ICMP TYPE=3 CODE=1 [SRC=62.53.192.175 DST=192.168.1.104 LEN=48 TOS=0x00 PREC=0x80 TTL=110 ID=52247 DF PROTO=TCP SPT=45783 DPT=6881 WINDOW=16384 RES=0x00 SYN URGP=0 ] May 16 12:07:20 fw RULE DROP -- IN=eth0 OUT=eth1 SRC=10.49.4.6 DST=62.53.192.143 LEN=56 TOS=0x00 PREC=0xE0 TTL=230 ID=47467 PROTO=ICMP TYPE=11 CODE=0 [SRC=62.53.192.143 DST=219.100.31.227 LEN=40 TOS=0x00 PREC=0xE0 TTL=1 ID=54789 DF PROTO=TCP INCOMPLETE [8 bytes] ] Shouldn't these messages be handled by conntrack as "RELATED" or "ESTABLISHED" and be let through the firewall and therefore not be logged (i.e. dropped)? Can anybody help or explain? Clemente
