Gordon,
I'm not very sure about the low level details of ipchains, but I'll give
my input anyway. I hope I'm not shooting below your knowledge line here,
but...
Did you compare the results by using DENY instead of REJECT?
ipchains says REJECT to tell the caller that he is not allowed to
connect, but DENY to indicate that the port "doesn't exist" or is not
listening.
If you were already fully aware of that, then please ignore. :-)
Best regards
Gustav
Gordon Messmer wrote:
>
> As long as we're on the subject of firewalls, I have a question that I'd
> like to ask:
>
> If I have a linux box with no firewalling rules, and I attempt to
> connect from <src_ip>:<src_port> to <dest_ip>:<dest_port>, where dest is
> my unprotected linux box, and the port I'm trying to connect to is not
> open, I see the following traffic (pretty close):
>
> <src_ip>:<src_port> -> <dest_ip>:<dest_port> : SYN
> <dest_ip>:<dest_port> -> <src_ip>:<src_port> : ICMP tcp port not
> reachable
>
> and the application fails the connection immediately. Now, I turn on
> firewalling on my linux box. I use the following ipchains command:
> ipchains -A input -i eth1 -y -p TCP --destination-port :1023 -j REJECT
> Now, I attempt the connection again, and see something like the
> following traffic:
> <src_ip>:<src_port> -> <dest_ip>:<dest_port> : SYN
> <dest_ip> -> <src_ip> : ICMP tcp port not reachable
> <src_ip>:<src_port> -> <dest_ip>:<dest_port> : SYN
> <dest_ip> -> <src_ip> : ICMP tcp port not reachable
> ...
>
> So, the linux box with firewalling in place is certainly REJECT'ing
> connection attempts, but not in a manner uniform with the port being
> simple closed. Additionally, the client _DOES NOT FAIL_. It tries
> again until it times out (much later). Both of these boxes are running
> linux kernel 2.2.15 pre2.
>
> The behavior of both of the boxes in the latter configuration seem
> incorrect. However, I'm not well versed on the RFC for TCP. I don't
> actually KNOW how it's supposed to behave. How does this compare to
> other products? Older/newer linux kernels?
>
> It seems that the REJECT behavior should be consistant with the port
> actually being unavailable. It also seems that the client should fail
> immediately, since it's getting notification that the port is
> unavailable. I think I should complain to the kernel list, but I'm not
> sure. What do you think?
>
> MSG
--
pgp = Pretty Good Privacy.
To get my public pgp key, send an e-mail to: [EMAIL PROTECTED]
Visit my web site at http://www.schaffter.com
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
