Problem accessing https://my.procurve.com/profile/index.aspx
(ACK is over the upper bound)
Krzysztof Oledzki
ole at ans.pl
Mon Jul 2 20:17:00 CEST 2007
On Mon, 2 Jul 2007, Patrick McHardy wrote:
> Krzysztof Oledzki wrote:
>>
>> OK, this was easy. The RST was sent simply because the packed was not
>> dropped but instead delivered to the local IP - there was no valid tuple
>> to change (unnat) the packed destination. Setting:
>>
>> iptables -I PREROUTING -m conntrack --ctstate INVALID -j DROP
>
>
> We should really document that with window tracking and NAT you
> must drop INVALID packets to avoid them getting delivered locally
> and causing a RST.
Indeed. There should be a big, fat warning about dropping in INPUT (and
probably FORWARD). The question is where: Kconfig (NAT)? man iptables?
both? ;)
>> make no more RSTs, only retransmisions from the 216.34.143.7. And yes, I
>> have a patched kernel so I'm able to filter packets in a PREROUTING chain.
>
> Dropping works without any patches.
Yes, in INPUT. I discovered that such packets goes to INPUT shortly after
I had written this mail. Before that I had put this in PREROUTING, which
is not possible by default.
Best regards,
Krzysztof Olędzki
More information about the netfilter-devel
mailing list