droping untracked packet
Rusty Russell
rusty@linuxcare.com.au
Tue, 20 Jun 2000 00:15:59 +1000
In message <20000618194003.A10105@segfault.net> you write:
> Hi...
>
> Linux 2.4.0-test1-ac18
> I tried to send out some icmp-reply packets
> (for testing network stuff) and got the following in my
> log:
> NAT: 3 dropping untracked packet c7767f00 1 10.0.1.1 -> 10.0.3.1
>
> my output rule is: iptables -P OUTPUT ACCEPT
>
> How can i disable connection tracking on a specific interface or
> for a specific protocol (e.g. icmp). ?
You can't. You could change one line in NAT to ACCEPT (rather than
DROP) packets which haven't been tracked, if you wanted to hack it.
> I need the connection tracking stuff for NAT and statefull packetfiltering..
> but still want to send out whatever i want :)
Sorry; this is not negotiable 8( The design is simplified greatly by
tracking everything: as soon as you don't track some traffic, tracking
becomes unreliable. For example, how can you tell if an ICMP error is
valid if you haven't tracked all connections?
It'd be pretty easy to have a `conntrack' table which controlled which
packets get handed to the connection tracking code, but:
1) I'll have to deal with the bug reports.
2) Give people too many knobs (and the associated 2000-line HOWTO) and
they'll end up with something grossly insecure, because they "only"
allocated themselves 8 hours to get their Linux-based packet filter
working!
Rusty.
--
Hacking time.