Hi, I use shorewall 1.45 on Debian 3 woody on iptables 1.28, all .deb pakages. If I launch the command iptables -L i see some invalid strings: Chain INPUT (policy DROP) DROP !icmp -- anywhere anywhere state INVALID Chain FORWARD (policy DROP) DROP !icmp -- anywhere anywhere state INVALID Chain OUTPUT (policy DROP) DROP !icmp -- anywhere anywhere state INVALID Is it an error ? Thanks
its normal -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of Salvatore Sent: Thursday, September 18, 2003 5:54 PM To: shorewall-users@lists.shorewall.net Subject: [Shorewall-users] state INVALID in iptables -L Hi, I use shorewall 1.45 on Debian 3 woody on iptables 1.28, all .deb pakages. If I launch the command iptables -L i see some invalid strings: Chain INPUT (policy DROP) DROP !icmp -- anywhere anywhere state INVALID Chain FORWARD (policy DROP) DROP !icmp -- anywhere anywhere state INVALID Chain OUTPUT (policy DROP) DROP !icmp -- anywhere anywhere state INVALID Is it an error ? Thanks _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
This does mean that your iptables installation will DROP invalid icmp packets. Nothing wrong with it, this is the intended behaviour. Robert Kehl ----- Original Message ----- From: "Salvatore" <corvo81@tin.it> To: <shorewall-users@lists.shorewall.net> Sent: Thursday, September 18, 2003 2:24 PM Subject: [Shorewall-users] state INVALID in iptables -L Hi, I use shorewall 1.45 on Debian 3 woody on iptables 1.28, all .deb pakages. If I launch the command iptables -L i see some invalid strings: Chain INPUT (policy DROP) DROP !icmp -- anywhere anywhere state INVALID Chain FORWARD (policy DROP) DROP !icmp -- anywhere anywhere state INVALID Chain OUTPUT (policy DROP) DROP !icmp -- anywhere anywhere state INVALID Is it an error ? Thanks _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Thu, 2003-09-18 at 04:39, Robert Kehl wrote:> This does mean that your iptables installation will DROP invalid icmp > packets.It actually drops invalid NON-icmp packets (note the "!"). Some ICMP 11 responses are treated as invalid and hence must be allowed.> Nothing wrong with it, this is the intended behaviour.Nod. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 2003-09-18 at 07:22, Tom Eastep wrote:> On Thu, 2003-09-18 at 04:39, Robert Kehl wrote: > > This does mean that your iptables installation will DROP invalid icmp > > packets. > > It actually drops invalid NON-icmp packets (note the "!"). Some ICMP 11 > responses are treated as invalid and hence must be allowed.I meant to say ICMP 3 (not ICMP 11)... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net