[Bug 98] state ESTABLISHED allow ipip tunnels
bugzilla-daemon at bugzilla.netfilter.org
bugzilla-daemon at bugzilla.netfilter.org
Fri Sep 24 15:59:50 CEST 2004
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=98
------- Additional Comments From elacour at easter-eggs.com 2004-09-24 15:59 CEST -------
(In reply to comment #3)
> I cannot reproduce this on 2.6.8.1. Protocol 4 is indeed treated just like any
> other unknown protocol, and dropped if not specifically allowed.
>
> Perhaps the user had an unexpired entry already in conntrack during his testing...
>
Yes I did the test again and there was a conntrack entry. The time for
this conntrack entry seems to be 600 seconds ... this seems a lot no?
Look:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p 4 -j DROP
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p 4 -j DROP
then i puted the tunnel up and ping. it blocked (ok).
now, I open the ipip
iptables -I INPUT -p 4 -j ACCEPT
iptables -I OUTPUT -p 4 -j ACCEPT
ping is ok
i close it before the 600seconds conntrack timeout
iptables -D INPUT -p 4 -j ACCEPT
iptables -D OUTPUT -p 4 -j ACCEPT
ping is ok
and for each new ping, it restore the timeout to 600 seconds so even we
closed the channel with iptables, people can maintains an open
connection. is this a feature or a bug?
--
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
More information about the netfilter-buglog
mailing list