[Bug 988] manpage: mention that REJECT should be used with care
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Tue Dec 2 16:39:17 CET 2014
https://bugzilla.netfilter.org/show_bug.cgi?id=988
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
CC| |pablo at netfilter.org
Resolution|--- |WONTFIX
--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to Denys Vlasenko from comment #0)
> I've got a user report. They are using the following set of rules:
>
> -m state --state ESTABLISHED,RELATED -j ACCEPT
> -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
> ...<more open port snipped>...
> -j REJECT --reject-with icmp-host-prohibited
People have to handle the INVALID state, which is the one that those invalid
checksum packets are reaching.
I mean, there are four ct states, and it's a good practise if your ruleset
handles them all.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20141202/07c46399/attachment.html>
More information about the netfilter-buglog
mailing list