Hi, On Thu November 13 2008, Thomas Jacob wrote: > For instance, if your ICMP echo request doesn't go through your > firewall, how can the stateful inspection know > about the echo reply to be expected? Also, if the firewall > doesn't see the initial TCP SYN packet, but the SYN-ACK goes > through the firewall, it clearly shouldn't allow that through. as I'm currently trying to understand the netfilter implementation, I tried to find the point, where the ICMP-Echo-Reply gets filtered. In xt_state.c->match(...) I saw, that it detects the state XT_STATE_INVALID if there is no connection associated to the packet (skb->nfct). But in the ICMP connection tracker I don't find the point, that it doesn't tracks the echo- reply packets if no echo-request packet passed. I have the impression, that it will track the echo-reply as a NEW connection. Could someone please point me to the code? Thanks in advance, -- Christoph Paasch www.rollerbulls.be -- -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
