Hello On Sat, Sep 13, 2008 at 11:36:13PM +0200, pk wrote: > I am using shorewall on my local computer (the same I'm surfing the web > with). My skills with iptables are not really good and my understanding of > networking also has some holes in it... However, I'm trying to prevent > firefox from accessing a third party site; I'm logging onto a site with > firefox. With netstat I can see that besides the usual ip address belonging > to the site another ip-address (not belonging to the original site) shows > up. While trying to block the additional ip address with both "iptables -A > INPUT -s xxxx -j DROP" and "iptables -A OUTPUT -d xxxx -j DROP" it still > sends a SYN request to this site. This makes firefox just sit there waiting > for a time-out. How can I prevent firefox from accessing the other site, > while still accessing the original one?
If I let aside it is quite odd it would have accessed two sites at once (either a virus/cracked computer or one is just closed, or maybe just an external image), using DROP is plain wrong. You should REJECT (or it is reject, I'm not sure about the case) the packets (at output in this case). DROP causes the packet to get blackholed without a trace. It sometimes happens to packets on internet so it is usual to try again and again until it succeeds or timeout (usually in tens of seconds) is reached. If you reject it (either with port or destination unreachable or even with "administratively filtered"), the other side knows it has no reason to try again and reports failure right away and saves the traffic and resources by not trying. Some people say drop does not show you exist but reject does. That is wrong too, destination unreachable means "There is no such machine with this IP", so it should hide the whole machine better than drop (if I send packets and no errors nor responses come, I suspect a firewall as well as malfunction). Does this help? Have a nice help -- BOFH Excuse #452: Somebody ran the operating system through a spelling checker. Michal 'vorner' Vaner
pgpdBMlpOEeal.pgp
Description: PGP signature
