On Thursday 2010-07-29 11:18, Michele Petrazzo - Unipex wrote: >Jan Engelhardt ha scritto: >>>My output chain: >>>*filter >>>:OUTPUT DROP [4831251:620928037] >>>-A OUTPUT -o lo -j ACCEPT >>>-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT >>>-A OUTPUT -j LOG --log-prefix "Firewall DROPOUT- " >> >>So what's left is INVALID packets. > >Seem that a rule that drop the INVALID packets to the trick. But... >drop or reject the invalid packets? Whatever fits your need. >>>The question. Why I see this log and why my fw want to talk with >>>external and, the last, why the kernel double log talk and one is >>>inside the brackets [ ]? >> >>Because those are the contents of the ICMP packet. See the RFC. > >Append also with tcp, no only icmp. >P.s. Have you a rfc number? 792 >And the last, have you also an rfc that explain why and where invalid >come from? INVALID is a CT classification. RFC don't have much to do with that. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html