Hi Tom, list members, With Shorewall's REJECT rule handling, the firewall generates a RST for TCP and an ICMP 3/1 destination host unreachable for the other protocols. I think it is not possible to customise this behaviour. Unless I overlooked something but I hope not, for the sake of this email. :)
Since the stack supports specifying type 3 rejection codes I am hoping shorewall could support it too. In my case I'd like the firewall to return code 15 "Communication administratively prohibited" or code 8 "Source host isolated" for when I'm in a BOFH mood. One simple suggestion is to define a new PROHIBIT target with a static alternative set in shorewall.conf. I would have suggested it to be configurable on a per-rule basis but remain unsure if that would require too much work for its purpose. While searching if it would be, I fell into a discussion[1] on the netfilter list. In it, people argued whether or not iptables should even support tcp-rst at all. The discussion took place in year 2000 and became quite passionate. It's a hoot! Now as it turns out we're 13 years later which arguably makes that discussion old. I'll leave the boring clichés aside and try to rattle the cage instead: is there an accepted approach these days for how to reject? Probably not: the Internet is a much bigger place these days. Although it does feel like the opposite, doesn't it? While unintended it sounds cynical to say "thank you" here so let me try "kind regards" instead.* Kind regards, Mark [1] http://lists.netfilter.org/pipermail/netfilter/2000-May/003862.html * It worked. ------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
