On Tue, August 22, 2017 16:47, Mark Coetser wrote: > On 22/08/2017 16:42, Walter H. wrote: >> Hello, >> >> I have these rules at the beginning of /etc/sysconfig/ip6tables >> >> # Filter all packets with state INVALID >> -A INPUT -m state --state INVALID -j DROP >> -A FORWARD -m state --state INVALID -j DROP >> -A OUTPUT -m state --state INVALID -j DROP >> >> and on bottom these rules: >> >> # Log all other >> -A INPUT -j LOG --log-prefix "IPv6[IN]: " --log-level 7 >> -A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level 7 >> -A OUTPUT -j LOG --log-prefix "IPv6[OUT]: " --log-level 7 >> >> which rule would have catched these logged packets: >> >> [70223.386265] IPv6[FWD]: IN=sit1 OUT=br0 >> SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 TC=0 >> HOPLIMIT=60 FLOWLBL=617912 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171 >> RES=0x00 ACK PSH URGP=0 >> [70232.150311] IPv6[FWD]: IN=sit1 OUT=br0 >> SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 TC=0 >> HOPLIMIT=60 FLOWLBL=949795 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171 >> RES=0x00 ACK PSH URGP=0 >> [70249.740932] IPv6[FWD]: IN=sit1 OUT=br0 >> SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 TC=0 >> HOPLIMIT=60 FLOWLBL=811062 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171 >> RES=0x00 ACK PSH URGP=0 > > those logged packets are from packets traversing your filter FORWARD > chain obviously no rule is matching which is why its triggering the last > rule which is > > -A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level 7 > of course, and which rule would I have to add bevor this rule, so that these are not logged ...? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
