APC >> Now the problem is to create a rule that would perform this task , but looking at the module for string match APC >> and searching google has left me a bit unsure if I am going in the right direction ... PH > The u32 match may be more precise as it allows to match a pattern at a specific offset. Thank you , I will search "iptables u32 match" on google :-) APC >> Since the IPTABLES normally can find this data in its RELATED function in the STATE-MODULE , PH > Conntrack is independent of iptables. PH > Conntrack sets the state, and iptables just checks it. I was hoping it was not so , but this explains why I have not found options for this so far . PH > But I'd like to ask why do you bother to log such packets ? I am not sure I 100% understand what exactly you are asking , since I want to remove these from my logs ... ... I will assume you are asking generally why I log INVALID / OUT-OF-STATE packets . The reason is simple , if there is some kind of TIME-OUT issue , you will in most cases find it almost immediately with a fast look in the LOG . and you will not have to create some massive tcpdump / pcap files to investigate why something is not working or being broken . Logging level is also adjusted for this for most systems that have to be PCI-DSS compliant , or at least the general "understanding" or conception is that such is needed . This typically means that all systems follow the same standard , even when it does not have to be PCI-DSS compliant at the moment or ever . Best regards André Paulsberg-Csibi Senior Network Engineer Fault Handling IBM Services AS -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
