From: "Walter H." <Walter.H@mathemainzel.info>
To: netfilter@vger.kernel.org
Subject: Re: IPtables and HTTP/2-Push?
Date: Sun, 17 Sep 2017 09:42:39 +0200 [thread overview]
Message-ID: <59BE276F.9080507@mathemainzel.info> (raw)
In-Reply-To: <ba7e09d692a6bdb55ad32d7e106e33c7.1505378527@squirrel.mail>
[-- Attachment #1: Type: text/plain, Size: 1344 bytes --]
On 14.09.2017 10:42, Walter H. wrote:
> Hello,
>
> when I have these two rules on client side (Browser)
>
> # Allow anything out on WAN
> -A OUTPUT -o iface-wan -j ACCEPT
> # Allow established, related packets back in
> -A INPUT -i iface-wan -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> or on firewalls/routers
>
> # Allow anything out on WAN
> -A FORWARD -i iface-lan -o iface-wan -j ACCEPT
> # Allow established, related packets back in
> -A FORWARD -i iface-wan -o iface-lan -m state --state ESTABLISHED,RELATED
> -j ACCEPT
>
>
> what happens to to packets that the Server pushes without request?
>
> I ask this because I see in the logs regularly a few entries like this
>
> [13-Sep-2017; 16:42:06.415850] IPv6[FWD]: IN=sit1 OUT=br0
> SRC=2a00:1450:4001:0811:0000:0000:0000:200e
> DST=LANprefix:0000:0000:0000:1234 LEN=123 TC=0 HOPLIMIT=60 FLOWLBL=262223
>
> as I filtered away INVALID, I can imagine, that these blocked packets come
> from HTTP/2-Push ...
>
> Am i right?
>
> Greetings,
> Walter
>
p.s. this is not limited to IPv6,
also IPv4
e.g.
[17-Sep-2017; 08:42:21.259878] IP[IN]: IN=eth1 OUT=
MAC=24:xx:xx:xx:xx:24:24:xx:xx:xx:xx:24:08:00 SRC=151.101.112.188
DST=#WAN-IP# LEN=115 TOS=0x00 PREC=0x00 TTL=59 ID=63615 DF PROTO=TCP
SPT=443 DPT=53156 WINDOW=57 RES=0x00 ACK PSH URGP=0
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 3491 bytes --]
prev parent reply other threads:[~2017-09-17 7:42 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-14 8:42 IPtables and HTTP/2-Push? Walter H.
2017-09-14 10:58 ` Imran Geriskovan
2017-09-14 12:24 ` Walter H.
2017-09-17 7:42 ` Walter H. [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=59BE276F.9080507@mathemainzel.info \
--to=walter.h@mathemainzel.info \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.