On Friday 2010-07-30 12:41, Michele Petrazzo - Unipex wrote: >>>>invalid come from? >>INVALID is a CT classification. RFC don't have much to do with that. > > Pascal Hambourg wrote: >>ICMP port unreachable is not the natural reply to an unexpected TCP >>packet, so I guess it was generated by a REJECT target in the INPUT or >>FORWARD chain. If the original packet was in the INVALID state (or >>UNTRACKED if you used the NOTRACK target), then the ICMP error packet >>is in the INVALID state instead of RELATED. > >Like said, INVALID is only a CT classification of my firewall. But, >since it's not a standard, how I can receive and reply (through my >FORWARD chain) to an INVALID packet? By not blocking it, standard processing will take place. >Who generate/classify it like INVALID? My sender (I don't believe since >it's not a standard) or my CT? The sender creates it, your firewall classifies it. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html