Re: Shouldn't this rule catch all packets

To:	netfilter@lists.netfilter.org
Subject:	Re: Shouldn't this rule catch all packets
From:	Petr Pisar <xpisar@fi.muni.cz>
Date:	Thu, 14 Dec 2006 19:56:06 +0000 (UTC)
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	netfilter-list1@securepoint.com
List-archive:	</pipermail/netfilter>
List-help:	<mailto:netfilter-request@lists.netfilter.org?subject=help>
List-id:	General discussion and user questions <netfilter.lists.netfilter.org>
List-post:	<mailto:netfilter@lists.netfilter.org>
List-subscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
List-unsubscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
References:	<4581A2F1.10305@vlsmaps.com>
Sender:	netfilter-bounces@lists.netfilter.org
User-agent:	slrn/0.9.8.1 (Linux)

To:

netfilter@lists.netfilter.org

Subject:

Re: Shouldn't this rule catch all packets

From:

Petr Pisar <xpisar@fi.muni.cz>

Date:

Thu, 14 Dec 2006 19:56:06 +0000 (UTC)

Delivered-to:

sp-com-lists@consult.net

Delivered-to:

netfilter-list1@securepoint.com

List-archive:

</pipermail/netfilter>

List-help:

<mailto:netfilter-request@lists.netfilter.org?subject=help>

List-id:

General discussion and user questions <netfilter.lists.netfilter.org>

List-post:

<mailto:netfilter@lists.netfilter.org>

List-subscribe:

<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe>

List-unsubscribe:

<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>

References:

<4581A2F1.10305@vlsmaps.com>

Sender:

netfilter-bounces@lists.netfilter.org

User-agent:

slrn/0.9.8.1 (Linux)

On 2006-12-14, jwlargent <jwlargent@vlsmaps.com> wrote:
> I was trying to debug some errors in my iptables setup so I added the 
> following rules to my OUTPUT, just to see what packets were going out.
>
> iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -j ACCEPT
>
> When I do iptables -L OUTPUT -v it shows some packets are falling 
> through to the last rule.
> Shouldn't the first rule catch all the packets?
>
No. There exists forth state called INVALID. E.g. TCP packet with ACK
witch is not part of any tracked TCP connection is INVALID. Naturally,
INVALID packets are ill packets and they shoudn't appear, but the reality
is different.

-- Petr

<Prev in Thread]	Current Thread	[Next in Thread>
Shouldn't this rule catch all packets, jwlargent Re: Shouldn't this rule catch all packets, Petr Pisar <= Re: Shouldn't this rule catch all packets, jwlargent

Previous by Date:	Shouldn't this rule catch all packets, jwlargent
Next by Date:	Allowing hosts to bypass transparent proxy (squid+netfilter) to port 80 for a specific netmask, Bernardo Vieira
Previous by Thread:	Shouldn't this rule catch all packets, jwlargent
Next by Thread:	Re: Shouldn't this rule catch all packets, jwlargent
Indexes:	[Date] [Thread] [Top] [All Lists]

Previous by Date:

Shouldn't this rule catch all packets, jwlargent

Next by Date:

Allowing hosts to bypass transparent proxy (squid+netfilter) to port 80 for a specific netmask, Bernardo Vieira

Previous by Thread:

Shouldn't this rule catch all packets, jwlargent

Next by Thread:

Re: Shouldn't this rule catch all packets, jwlargent

Indexes:

[Date] [Thread] [Top] [All Lists]