Hallo Patrick, On Fri, 04 Dec 2009 07:14:44 +0100 Patrick McHardy <kaber@xxxxxxxxx> wrote: > > I could solve my problem with either allow any icmp traffic from outside to any destination or use the clamp-to-pmtu in the server settings for the firewall. This is a switch in fwbuilder. sorry i was wrong. At first i tried the »clamp-to-pmtu« setting and it worked. After removing this setting and inserting a gloabl rule to accept every icmp traffic it still worked. But I didn't realized that this global rule had no effect at all. > > > > Why is such an ICMP message not RELATED in the meaning of > > echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" > > with a _related_ tcp connection? > > It should be. Please post a dump of the relevant ICMP message > and the connection tuples from /proc/net/nf_conntrack for the > original TCP connection. No such icmp message ever reached my firewall though I tryed hard to record such an icmp message. My guess is that it must have been filtered out on the way. The clamp-to-pmtu seemed to have a lasting success. What I'm wondering is why it just works on the firewall itself but not with the natted computers in the private network? Sorry for replying so late. Lars -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
