On Mon, Feb 21, 2000 at 05:52:13PM -0800, Gordon Messmer wrote:
> As long as we're on the subject of firewalls, I have a question that I'd
> like to ask:
> If I have a linux box with no firewalling rules, and I attempt to
> connect from <src_ip>:<src_port> to <dest_ip>:<dest_port>, where dest is
> my unprotected linux box, and the port I'm trying to connect to is not
> open, I see the following traffic (pretty close):
> <src_ip>:<src_port> -> <dest_ip>:<dest_port> : SYN
> <dest_ip>:<dest_port> -> <src_ip>:<src_port> : ICMP tcp port not
> reachable
> and the application fails the connection immediately. Now, I turn on
> firewalling on my linux box. I use the following ipchains command:
> ipchains -A input -i eth1 -y -p TCP --destination-port :1023 -j REJECT
> Now, I attempt the connection again, and see something like the
> following traffic:
> <src_ip>:<src_port> -> <dest_ip>:<dest_port> : SYN
> <dest_ip> -> <src_ip> : ICMP tcp port not reachable
> <src_ip>:<src_port> -> <dest_ip>:<dest_port> : SYN
> <dest_ip> -> <src_ip> : ICMP tcp port not reachable
> ...
> So, the linux box with firewalling in place is certainly REJECT'ing
> connection attempts, but not in a manner uniform with the port being
> simple closed. Additionally, the client _DOES NOT FAIL_. It tries
> again until it times out (much later). Both of these boxes are running
> linux kernel 2.2.15 pre2.
Ok... So you're running IPChains (as opposed to ipfwadmin on
earlier kernels or netfilter on the newer stuff).
> The behavior of both of the boxes in the latter configuration seem
> incorrect. However, I'm not well versed on the RFC for TCP. I don't
> actually KNOW how it's supposed to behave. How does this compare to
> other products? Older/newer linux kernels?
> It seems that the REJECT behavior should be consistant with the port
> actually being unavailable. It also seems that the client should fail
> immediately, since it's getting notification that the port is
> unavailable. I think I should complain to the kernel list, but I'm not
> sure. What do you think?
I think it should go to the IPChains list and I'm Cc'ing this reply
in that direction as well.
> MSG
> --
> To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> as the Subject.
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
