jay@xxxxxxxxxxx wrote: >Hi, > >I'm currently using the ipt_owner module to enforce stronger outgoing packet >filtering on certain daemons. I create a custom chain with the stronger >rules and use '-m owner' to jump packets into the chain. > >This works fine for UDP and TCP, but my outgoing ICMP packets never match >the rule. I understand why incoming ICMP should fail to match, but why are >outgoing packets missing the filter? > >Chain OUTPUT (policy ACCEPT) >target prot opt source destination >acctboth all -- anywhere anywhere >ACCEPT all -- anywhere anywhere >apache-output all -- anywhere anywhere OWNER UID >match > iptest > >Chain apache-output (1 references) >target prot opt source destination >DROP icmp -- anywhere anywhere > >(nothing in the acctboth chain causes a jump) > >Any ideas? > > > I think this is because icmp packets are just generated and sent away by some part of the kernel after it received a syscall from a program with uid 0 (only root can use icmp).
