From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick McHardy Subject: Re: Problem accessing https://my.procurve.com/profile/index.aspx (ACK is over the upper bound) Date: Mon, 02 Jul 2007 20:20:06 +0200 Message-ID: <468941D6.7090306@trash.net> References: <4688FC41.5070403@trash.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Cc: netfilter-devel@lists.netfilter.org To: Krzysztof Oledzki Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-devel-bounces@lists.netfilter.org Errors-To: netfilter-devel-bounces@lists.netfilter.org List-Id: netfilter-devel.vger.kernel.org Krzysztof Oledzki wrote: > On Mon, 2 Jul 2007, Patrick McHardy wrote: > >> We should really document that with window tracking and NAT you >> must drop INVALID packets to avoid them getting delivered locally >> and causing a RST. > > > Indeed. There should be a big, fat warning about dropping in INPUT (and > probably FORWARD). The question is where: Kconfig (NAT)? man iptables? > both? ;) The manpage I guess. Kconfig is not really the place for this IMO. >>> make no more RSTs, only retransmisions from the 216.34.143.7. And yes, I >>> have a patched kernel so I'm able to filter packets in a PREROUTING >>> chain. >> >> >> Dropping works without any patches. > > > Yes, in INPUT. I discovered that such packets goes to INPUT shortly > after I had written this mail. Before that I had put this in PREROUTING, > which is not possible by default. You can drop in PREROUTING/mangle for example. In the filter table its not possible of course since there is no PREROUTING chain :)