Jim Breton <[EMAIL PROTECTED]> writes:
> On Sat, Mar 24, 2001 at 12:29:37PM +0200, Guido A.J. Stevens wrote:
> > Packet log: INlog REJECT eth0 PROTO=6 193.172.234.241:65535 194.109.214.3:65535
>L=52 S=0x10 I=56606 F=0x00B5 T=114 (#1)
> >
> > Setting aside that these packets should not exist; my firewall is
> > configured such that if they *do* occur, they should be accepted. The
> > last five lines of my input chain are:
>
> What are the _first_ lines of that chain?
>
> The "#1" in your filter log tells us that the first line in that chain
> is causing the packet to be blocked.
Nah, that's a misunderstanding. The packets are not blocked in the
"INPUT" chain, but in the custom "INlog" chain. The input chain
contains (i.a.):
ACCEPT tcp -y--l- 0xFF 0x00 eth0 0.0.0.0/0 194.109.214.0/241024:65535 -> 1024:65535
ACCEPT tcp !y---- 0xFF 0x00 eth0 0.0.0.0/0 194.109.214.0/24 1024:65535 ->
1024:65535
INlog all ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a
So the fact that these packets reach the INlog chain *at all* (and are
rejected and logged there immediately, that's right), instead of being
accepted by one of the earlier rules in the INPUT chain baffles
me. One of those high port accept rules should be triggered, and
apparently isn't.
:*CU#
--
*** Guido A.J. Stevens *** mailto:[EMAIL PROTECTED] ***
*** Net Facilities Group *** tel:+31.43.3618933 ***
*** Postbus 1143 *** fax:+31.43.3561655 ***
*** 6201 BC Maastricht *** http://www.nfg.nl ***
It is not true that the government has not moved to regulate the
internet. The last few years has seen an extraordinary expansion
of intellectual property rights [...] that is producing an
extraordinary power to own and hence control ideas.
[Lessig, http://cyber.law.harvard.edu/events/lessigkeynote.pdf ]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
