Shorewall users - Aug 2013 - outbound ICMP port unreachable established/related?

Hi,

is an outbound ICMP port unreachable packet considered
 ''established/related'' and processed by those rules?


------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It''s a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk

On 8/13/2013 6:09 PM, Steve Wray wrote:
> Hi,
> 
> is an outbound ICMP port unreachable packet considered
>  ''established/related'' and processed by those rules?
It is RELATED. It is also allowed by both the DROP and REJECT default
actions (Drop and Reject).

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It''s a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk

So if I put a rule on the output chain to drop icmp port unreachable I have
to do something extra to stop the established/related accept rule from
being higher in the rule chain?

I have FASTACCEPT=No but there seem to be two different locations in the
generated rules where there is an ACCEPT rule for established/related;
theres one in the OUTPUT chain just after the interface_out rule and theres
one right at the top of the fw2net chain, before anything else (ie taking
precedence over rules I specified).



On 14 August 2013 09:55, Tom Eastep <teastep@shorewall.net> wrote:
> On 8/13/2013 6:09 PM, Steve Wray wrote:
> > Hi,
> >
> > is an outbound ICMP port unreachable packet considered
> >  ''established/related'' and processed by those rules?
>
> It is RELATED. It is also allowed by both the DROP and REJECT default
> actions (Drop and Reject).
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite!
> It''s a free troubleshooting tool designed for production.
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
>
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It''s a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk