Re: [leaf-user] problem with icmp STATE invalid

Mon, 25 Nov 2002 09:40:43 -0800 

hi ray

> This question is a bit too succinct to get a good response. I assume it
> refers to an icmp type-11 packet. And I'll guess that the underlying
> problem motivating the question is traceroute failures (but a
clarification
> of that part would be welcome).

yes, it's a traceroute-problem.

> But what version of  LEAF is involved, what firewall package, and what
does
> the actual, complete "OUTPUT Rule 2" say (from what you posted, I can't
> even tell if we are discussing ipchains or iptables)? Oh, and if the
> firewall logs the DROP

it's rc3 with standard shorewall version (i think it is 1.3.1)

here the OUTPUT-chain:

 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     ah   --  any    lo      anywhere             anywhere
    1   120 DROP       icmp --  any    any     anywhere             anywhere
state INVALID
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere
    0     0 ACCEPT     udp  --  any    ppp0    anywhere             anywhere
udp dpts:bootps:bootpc
    0     0 ACCEPT     udp  --  any    br0     anywhere             anywhere
udp dpts:bootps:bootpc
   23  1740 fw2net     ah   --  any    ppp0    anywhere             anywhere
    0     0 fw2loc     ah   --  any    br0     anywhere
192.168.54.0/24
   10   752 fw2loc     ah   --  any    ppp1    anywhere
192.168.54.0/24
    0     0 fw2loc     ah   --  any    ppp2    anywhere
192.168.54.0/24
    0     0 fw2loc     ah   --  any    ppp3    anywhere
192.168.54.0/24
    0     0 common     ah   --  any    any     anywhere             anywhere
    0     0 LOG        ah   --  any    any     anywhere             anywhere
LOG level info prefix `Shorewall:OUTPUT:REJECT:'
    0     0 reject     ah   --  any    any     anywhere             anywhere

the ttl-exeeded packet are dropped in rule 2. if i delete this rule, the
packets pass.

i have the following ifaces:

eth0    ethernet for dsl
ppp0    dsl
eth1    coax
eth2    rj45
br0    with eth1 & eth2
ppp1-3    pptp

it makes not difference if i make a traceroute from an internal ip or via
vnp (from outside).

> That said ... in iptables, state INVALID means (from the man page) "that
> the packet is associated with no known connection".  From that, I'd infer
> that a *particular* icmp type-11 packet may be INVALID or not, but that
> they should not in general be INVALID. In particular, I would not expect
> this state to interfere with traceroute ttl-exceeded replies. But I could
> easily be missing something, even something relatively obvious, since I
> don't use a similar rule here;  some details would permit more certain
> diagnosis.

some diagnosis would be great !!

greetz
stefan



-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to