List Info

Thread: Re: Problem accessing https://my.procurve.com/profile/index.aspx (ACK is over the upper bound)
Re: Problem accessing https://my.procurve.com/profile/index.as px (ACK is over the upper bound)
country flaguser name
Germany		 2007-07-02 13:20:06 
Krzysztof Oledzki wrote:
> On Mon, 2 Jul 2007, Patrick McHardy wrote:
> 
>> We should really document that with window tracking
and NAT you
>> must drop INVALID packets to avoid them getting
delivered locally
>> and causing a RST.
> 
> 
> Indeed. There should be a big, fat warning about
dropping in INPUT (and
> probably FORWARD). The question is where: Kconfig
(NAT)? man iptables?
> both? ;)


The manpage I guess. Kconfig is not really the place for
this IMO.

>>> make no more RSTs, only retransmisions from the
216.34.143.7. And yes, I
>>> have a patched kernel so I'm able to filter
packets in a PREROUTING
>>> chain.
>>
>>
>> Dropping works without any patches.
> 
> 
> Yes, in INPUT. I discovered that such packets goes to
INPUT shortly
> after I had written this mail. Before that I had put
this in PREROUTING,
> which is not possible by default.


You can drop in PREROUTING/mangle for example. In the filter
table
its not possible of course since there is no PREROUTING
chain
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )