[Firehol-support] DROPping INVALID in OUTPUT
Costa Tsaousis
costa at tsaousis.gr
Thu Jul 29 23:26:37 BST 2004
Mark,
> First of all, many thanks for Firehol. It has really simplified use of
> iptables.
Thanks.
> I have one problem, however.
> Using eth0 LAN, ppp0 dial-up link. Masquerade, using lan-gateway.conf as
> template for config.
>
> If the ppp link is down and a host on the LAN sends a packet destined
> for the outside world, the icmp-unreacahble packet does not get
> returned, so the LAN host has to wait to time out.
>
> The offending line seems to be:
>
> ${IPTABLES_CMD} -A OUTPUT -m state --state INVALID -j DROP
>
> Although the comment says this is recommended in the Netfilter HOWTO, I
> cannot find it.
In
http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-7.html#ss7.3
it says:
INVALID
A packet which could not be identified for some reason: this includes
running out of memory and ICMP errors which don't correspond to any known
connection. Generally these packets should be dropped.
I have scanned a bit the iptables mailing lists, and it seems that the
netfilter developers have adopted this definition for the man page of
iptables. I can confirm this, since the "state" match in my installed
iptables man pages is explained with exactly the same wording.
I also found this interesting document:
http://www.netfilter.org/security/2002-04-02-icmp-dnat.html
I don't know if it applies to you.
> I can fix it by adding
>
> iptables -I OUTPUT 2 -m state --state INVALID -p icmp --icmp-type
> destination-unreachable -j ACCEPT
>
> Is this sensible? But surely these packets are not really INVALID. Are
> the not RELATED. Is this a iptables bug, or something that should be
> accommodated in Firehol?
I really don't like to attempt fixing this in FireHOL. The HOWTO and the
man page are very specific about INVALID packets and I would not like to
ignore that. The fact however that your kernel returns as invalid the
destination unreachable messages, I believe, should be reported to the
netfilter team.
Thanks,
Costa
PS: Note that in version 1.194 of FireHOL, dropping of INVALID packets is
part of the "protection" helper and can be disabled as a default rule for
the firewall by setting FIREHOL_DROP_INVALID=1 (the default has been
switched to 0, but "protection strong" enables it for specific
interfaces).
This has been made because of bug 927509
(http://sourceforge.net/tracker/index.php?func=detail&aid=927509&group_id=58425&atid=487692)
More information about the Firehol-support
mailing list