[Firehol-support] DROPping INVALID in OUTPUT

Costa Tsaousis costa at tsaousis.gr
Thu Jul 29 23:26:37 BST 2004


> First of all, many thanks for Firehol. It has really simplified use of
> iptables.


> I have one problem, however.
> Using eth0 LAN, ppp0 dial-up link. Masquerade, using lan-gateway.conf as
> template for config.
> If the ppp link is down and a host on the LAN sends a packet destined
> for the outside world, the icmp-unreacahble packet does not get
> returned, so the LAN host has to wait to time out.
> The offending line seems to be:
> ${IPTABLES_CMD} -A OUTPUT -m state --state INVALID -j DROP
> Although the comment says this is recommended in the Netfilter HOWTO, I
> cannot find it.

it says:

A packet which could not be identified for some reason: this includes
running out of memory and ICMP errors which don't correspond to any known
connection. Generally these packets should be dropped.

I have scanned a bit the iptables mailing lists, and it seems that the
netfilter developers have adopted this definition for the man page of
iptables. I can confirm this, since the "state" match in my installed
iptables man pages is explained with exactly the same wording.

I also found this interesting document:
I don't know if it applies to you.

> I can fix it by adding
> iptables -I OUTPUT 2  -m state --state INVALID -p icmp --icmp-type
> destination-unreachable -j ACCEPT
> Is this sensible? But surely these packets  are not really INVALID. Are
> the not RELATED. Is this a iptables bug, or something that should be
> accommodated in Firehol?

I really don't like to attempt fixing this in FireHOL. The HOWTO and the
man page are very specific about INVALID packets and I would not like to
ignore that. The fact however that your kernel returns as invalid the
destination unreachable messages, I believe, should be reported to the
netfilter team.



PS: Note that in version 1.194 of FireHOL, dropping of INVALID packets is
part of the "protection" helper and can be disabled as a default rule for
the firewall by setting FIREHOL_DROP_INVALID=1 (the default has been
switched to 0, but "protection strong" enables it for specific
This has been made because of bug 927509 

More information about the Firehol-support mailing list