On Thu, 6 Jun 2002, Joe Patterson wrote: > That's interesting... I guess it could make sense... sort of... > > but, to be really obnoxious about it, I would think it would make sense to > have rules such as: > > for IF in `ifconfig | cut -d " " -f 1 | grep -v ^$`; do > $IPT -A INPUT -p icmp --icmp-type 5 -m state --state RELATED -i $IF -s `ip > addr ls dev $IF | grep inet | cut -d " " -f 6` -j ACCEPT > done > > and > > $IPT -A FORWARD -p icmp --icmp-type 5 -j DROP > > on the basis of my belief that you should never ever have a redirect > crossing a router, but you *may* want to accept redirects from local > gateways...
conntrack is responsible to keep track of the connections as perfectly (and with as little overhead) as possible. At the filter stage one can filter out the unwanted packets exactly as you suggested. Regards, Jozsef - E-mail : [EMAIL PROTECTED], [EMAIL PROTECTED] WWW-Home: http://www.kfki.hu/~kadlec Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
