I just started reading the IPCHAINS-HOWTO but from what I can remember, your telling any packet wishing to make a connection coming in on the input chain using TCP/IP on port 1023 that it is rejected. As a result, no connections are being permitted. > As long as we're on the subject of firewalls, I have a question that I'd > like to ask: > > If I have a linux box with no firewalling rules, and I attempt to > connect from <src_ip>:<src_port> to <dest_ip>:<dest_port>, where dest is > my unprotected linux box, and the port I'm trying to connect to is not > open, I see the following traffic (pretty close): > > <src_ip>:<src_port> -> <dest_ip>:<dest_port> : SYN > <dest_ip>:<dest_port> -> <src_ip>:<src_port> : ICMP tcp port not > reachable > > and the application fails the connection immediately. Now, I turn on > firewalling on my linux box. I use the following ipchains command: > ipchains -A input -i eth1 -y -p TCP --destination-port :1023 -j REJECT > Now, I attempt the connection again, and see something like the > following traffic: > <src_ip>:<src_port> -> <dest_ip>:<dest_port> : SYN > <dest_ip> -> <src_ip> : ICMP tcp port not reachable > <src_ip>:<src_port> -> <dest_ip>:<dest_port> : SYN > <dest_ip> -> <src_ip> : ICMP tcp port not reachable > ... > > So, the linux box with firewalling in place is certainly REJECT'ing > connection attempts, but not in a manner uniform with the port being > simple closed. Additionally, the client _DOES NOT FAIL_. It tries > again until it times out (much later). Both of these boxes are running > linux kernel 2.2.15 pre2. > > The behavior of both of the boxes in the latter configuration seem > incorrect. However, I'm not well versed on the RFC for TCP. I don't > actually KNOW how it's supposed to behave. How does this compare to > other products? Older/newer linux kernels? > > It seems that the REJECT behavior should be consistant with the port > actually being unavailable. It also seems that the client should fail > immediately, since it's getting notification that the port is > unavailable. I think I should complain to the kernel list, but I'm not > sure. What do you think? > > MSG -- -- To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe" as the Subject.
