On Thu, Sep 05, 2013 at 05:43:59PM +0200, podo wrote:
> Hi Phil,
> Yes, I ment the 3th rule (Established accept).
>
> Please what do you mean by "same ID" ? And is this not exactly the problem ?
> nf_conntrack is even not needed, when only the first rule is present:
> -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
By "ID" I mean ICMP ID. Do some testing on your own with something like this:
while : ; do grep icmp /proc/net/nf_conntrack ; sleep 1 ; done
while you have a ping going. You'll note that as long as the ICMP ID (and
src/dst IPs) are identical, only one conntrack entry is utilized. If you continually
ping, the only update will be the timer refreshing to 30 seconds. During this time,
you will note your "established" rule increasing. If you ping 5 times, the established
rule should register 4 hits.
If you allow the conntrack to expire (by waiting 30 seconds), then the cycle starts
over again.
> ICMP should not be tracked as established...
> In my opinion the behaviour is not correct.
This is optimal behavior. Also, without this, DoS attacks against conntrack
would be much simpler.
Phil
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
