At 01:03 PM 11/25/02 +0100, q0016 wrote:
This question is a bit too succinct to get a good response. I assume it refers to an icmp type-11 packet. And I'll guess that the underlying problem motivating the question is traceroute failures (but a clarification of that part would be welcome).hi there icmp packet (time exeeded) are dropped in chain OUTPUT Rule 2 -> icmp state INVALID. why are they invalid? "normal" icmp packets (echo reply) passes normally. i've joined eth1 & eth2 in a bridge (br0).
But what version of LEAF is involved, what firewall package, and what does the actual, complete "OUTPUT Rule 2" say (from what you posted, I can't even tell if we are discussing ipchains or iptables)? Oh, and if the firewall logs the DROP, what does an actual log entry read like?
That said ... in iptables, state INVALID means (from the man page) "that the packet is associated with no known connection". From that, I'd infer that a *particular* icmp type-11 packet may be INVALID or not, but that they should not in general be INVALID. In particular, I would not expect this state to interfere with traceroute ttl-exceeded replies. But I could easily be missing something, even something relatively obvious, since I don't use a similar rule here; some details would permit more certain diagnosis.
--
-------------------------------------------"Never tell me the odds!"--------
Ray Olszewski -- Han Solo
Palo Alto, California, USA [EMAIL PROTECTED]
-------------------------------------------------------------------------------
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
