[Firehol-support] DROPping INVALID in OUTPUT
Mark Hindley
mark at hindley.uklinux.net
Thu Jun 3 10:55:37 BST 2004
First of all, many thanks for Firehol. It has really simplified use of
iptables.
I have one problem, however.
Using eth0 LAN, ppp0 dial-up link. Masquerade, using lan-gateway.conf as template for config.
If the ppp link is down and a host on the LAN sends a packet destined
for the outside world, the icmp-unreacahble packet does not get
returned, so the LAN host has to wait to time out.
The offending line seems to be:
${IPTABLES_CMD} -A OUTPUT -m state --state INVALID -j DROP
Although the comment says this is recommended in the Netfilter HOWTO, I
cannot find it.
I can fix it by adding
iptables -I OUTPUT 2 -m state --state INVALID -p icmp --icmp-type destination-unreachable -j ACCEPT
Is this sensible? But surely these packets are not really INVALID. Are
the not RELATED. Is this a iptables bug, or something that should be
accommodated in Firehol?
Thanks for your help
Mark
--
Mark Hindley
6, Nursery Park
Innerleithen
Peeblesshire
01896 830304
mark at hindley.uklinux.net
More information about the Firehol-support
mailing list