Re: IPChains Question (compatibility mode on kernel 2.4.x)

From: Glynn Clements (glynn.clements_at_virgin.net)
Date: 05/13/03

  • Next message: Glynn Clements: "Re: IPChains Question (compatibility mode on kernel 2.4.x)"
    Date: Tue, 13 May 2003 04:55:42 +0100
    To: Bill Tihen <bill@tasis.ch>
    
    

    Bill Tihen wrote:

    > I am using RH90. From my (limited) understanding the following IPchain
    > should work (all my rules based on tcp, udp & icmp work).
    >
    > -A input -i eth0 -p ddp --dport rtmp -j ACCEPT
    > #-A input -i eth0 -p ddp --dport zip -j ACCEPT
    > #-A input -i eth0 -p ddp --dport nbp -j ACCEPT
    > #-A input -i eth0 -p ddp --dport echo -j ACCEPT
    > #-A input -i eth0 -p ddp -s 172.25.0.0/16 --dport rtmp -j ACCEPT
    > #-A input -i eth0 -p ddp -s 172.25.0.0/16 --dport zip -j ACCEPT
    > #-A input -i eth0 -p ddp -s 172.25.0.0/16 --dport nbp -j ACCEPT
    > #-A input -i eth0 -p ddp -s 172.25.0.0/16 --dport echo -j ACCEPT
    >
    > I get the following error(s):
    >
    > [root@enet root]# /etc/rc.d/init.d/ipchains restart
    > Flushing all current rules and user defined chains: [ OK ]
    > Clearing all current rules and user defined chains: [ OK ]
    > Applying ipchains firewall rules: /sbin/ipchains: can only specify ports for
    > icmp, tcp or udp

    ipchains (both the utility and the underlying kernel support) doesn't
    understand DDP; at least, not to the extent that it understands TCP,
    UDP and ICMP.

    It can match the protocol itself (i.e. IP protocol 37), and it can
    match the generic fields (source/destination address, interface), but
    it doesn't know anything about the format of DDP, or DDP protocol
    types (ZIP, NBP etc).

    The only useful link which I managed to find (although I didn't look
    very far) was:

    http://ebv.mimnet.northwestern.edu/~aiyar/appletalk-filter.html

    -- 
    Glynn Clements <glynn.clements@virgin.net>
    

  • Next message: Glynn Clements: "Re: IPChains Question (compatibility mode on kernel 2.4.x)"

    Relevant Pages

    • Re: Successful remote AES key extraction
      ... To answer objections that ICMP packets might take slower paths through ... using TCP or UDP. ... L2 cache misses are more costly, but the rest of a real ...
      (sci.crypt)
    • WIZnet Chip W3100as TCP/IP Support
      ... that they are supporting TCP, UDP, IP, ICMP etc. ... But i want the detailed features what they support in TCP/IP. ... Time Exceeded, ICMP Echo Request or Reply, ICMP Address ...
      (comp.arch.embedded)
    • WIZZnet Chip W3100as TCP/IP Support
      ... that they are supporting TCP, UDP, IP, ICMP etc. ... But i want the detailed features what they support in TCP/IP. ... Time Exceeded, ICMP Echo Request or Reply, ICMP Address ...
      (comp.arch.embedded)
    • Re: Revised list of IPs used by Spyware and Adware (Was: bear share and zone alarm)
      ... ICMP messages really aren't anything to worry about. ... Filtering TCP and UDP ...
      (comp.security.firewalls)
    • natd, ipfw problem
      ... redirect_port udp 192.168.0.2:53 53 ... redirect_port tcp 192.168.0.2:53 53 ... add 00601 allow udp from any to any 53 keep-state via sis0 ... add 00701 allow icmp from any to any out icmptypes 8 ...
      (freebsd-questions)