On Thursday 30 May 2002 3:13 pm, [EMAIL PROTECTED] wrote: > > This type of ICMP message will be RELATED to an existing TCP connection, > > therefore it will be allowed through the firewall by the sort of rulset > > Claudio was using - if you recall, this was: > > Ah, I didn't know iptables are smart enough to realize that!
Yes, this is one of the beautiful things about netfilter / iptables - ICMP packets are automatically recognised as being RELATED to the TCP packets which they're, well, related to. That's almost a definition of the difference between ESTABLISHED and RELATED - ESTABLISHED packets are part of the ongoing TCP communication, whereas RELATED ones are things like ICMP messages which say something about the TCP link. Great, isn't it !? Antony.
