Hello everybody,
I have problems with my IPv6 firewall concerning connection tracking and
mDNS. This is part of the rules:
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -s fe80::/64 -d ff02::fb -p udp -j LOG --log-prefix "DEBUG1: "
-A INPUT -s fe80::/64 -d ff02::fb -p udp --dport 5353 -j ACCEPT
[...]
-A INPUT -j LOG --log-prefix "DEBUG2: "
-A INPUT -j REJECT
DEBUG1: IN=en OUT= MAC= SRC=fe80:0000:0000:0000:ea03:9aff:feac:8631
DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=661 TC=0 HOPLIMIT=255
FLOWLBL=0 PROTO=UDP SPT=5353 DPT=5353 LEN=621
DEBUG1: IN=en OUT= MAC= SRC=fe80:0000:0000:0000:ea03:9aff:feac:8631
DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=1496 TC=0 HOPLIMIT=255
FLOWLBL=0 FRAG:0 INCOMPLETE ID:042d5795 PROTO=UDP SPT=5353 DPT=5353 LEN=7378
DEBUG1: IN=en OUT= MAC= SRC=fe80:0000:0000:0000:ea03:9aff:feac:8631
DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=1496 TC=0 HOPLIMIT=255
FLOWLBL=0 FRAG:1448 INCOMPLETE ID:042d5795 PROTO=UDP
DEBUG2: IN=en OUT= MAC= SRC=fe80:0000:0000:0000:ea03:9aff:feac:8631
DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=1496 TC=0 HOPLIMIT=255
FLOWLBL=0 FRAG:1448 INCOMPLETE ID:042d5795 PROTO=UDP
[...]
All following packets are logged twice.
So why is the connection not tracked? I would expect the fragment to belong
to an established connection and accepted.
--
main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/* Chris get my mail address: */=0;b=c[a++];)
putchar(b-1/(/* gcc -o sig sig.c && ./sig */b/42*2-3)*42);}
Attachment:
signature.asc
Description: PGP signature
