Re: ICMP packets seeping through a DROP policy - security concern

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 
On 04/03/2012 22:25, jonetsu wrote:

The setup is:

unit1<-->  eth4  unit3  eth1<-->  unit2

unit1 is continuously pinging unit2 via unit3. Rules are applied
on unit3.
In that case, it's the FORWARD chain that matters. The behaviour of kernel 3.0.0 seems correct; ping continues to work because the ICMP is subjected to connection tracking and you are allowing RELATED/ESTABLISHED traffic in the FORWARD chain. To test the INPUT chain, you should be pinging unit3, not unit2. 

Cheers,

--Kerin

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Linux Netfilter Development]     [Linux Kernel Networking Development]     [Linux Networking Development]     [Linux Kernel Development]     [Linux Resources]     [LARTC]     [Bugtraq]     [Consulting]     [Free Internet Dating]     [Yosemite Forum]     [Photo]

Add to Google Powered by Linux