Le lundi 16 mai 2005 à 12:21 +0100, Clemente Aguiar a écrit : > On a TCP or UDP protocol, if there are communication problems a ICMP > "responses" are generated. ICMP messages are genetrated to handle IP problems, regardless which layer 4 protocol is used. TCP has its own mechanisms to handle layer 4 errors. Exception mode of ICMP port unreachable for UDP... > Does conntrack handle all ICMP "responses" correctly? Yes they are, with RELATED state. > Shouldn't these messages be handled by conntrack as "RELATED" or > "ESTABLISHED" and be let through the firewall and therefore not be logged > (i.e. dropped)? They should. However, you may have a look at your conntrack table to see if thoses packets do actually match existing entries. -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread!
