Well probably the documentation should be more explicit. I know that's
experimental
code but someone has to use it in order to increase its quality.
My idea of building the rules was to DROP as much as possible all the
"dirty"
packets before the packets can match the rules that allow connections.
Regarding ECN I've it on on most of my boxes without any problems (I
don't care
if I cannot look to lego.com). but I don't want to restart again the ECN
discussion
there were sometimes ago in the ML.
Cheers
Fabio
Rusty Russell wrote:
>
> In message <3B8A262C.82ED7793@ted.ericsson.dk> you write:
> > Hi gurus,
> > I've possibly found a bug in the iptables unclean match support
> > but I was not able to find the email of the mantainer so I'm posting
> > here....
> >
> > the module is incorrectly matching ftp session. Ex:
> >
> > iptables -j DROP -A INPUT --match unclean
> > iptables -j ACCEPT -A INPUT -p tcp --dport 21
> >
> > in this case all my packets directed to the ftp server where dropped by
> > the
> > "unclean" match and this make impossible to open ftp session.
>
> Please do not do this. "unclean" should be renamed "interesting": you
> should log these packets, but probably not drop them, otherwise some
> things may break.
>
> Like ECN...
>
> Cheers,
> Rusty.
> --
> Premature optmztion is rt of all evl. --DK
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Fri Aug 31 2001 - 21:00:28 EST