Is pool.net <http://pool.net/> the instance doing the routing? Or is it acting as a packet filter in front of another host?
From the ipf.conf man page: block indicates that the packet should be flagged to be dropped. In response to blocking a packet, the filter may be instructed to send a reply packet, either an ICMP packet (return-icmp), an ICMP packet masquerading as being from the original packet's destination (return-icmp-as-dest), or a TCP "reset" (return-rst). You can send an ICMP masquerading as the original packet's destination, but not a RST. Instead, you should use `return-icmp port-unr`, or move the packet filter back to the actual destination host. -- Brian Bennett Systems Engineer, Cloud Operations Joyent, Inc. | www.joyent.com <http://www.joyent.com/> > On Sep 25, 2015, at 2:46 AM, Eric <[email protected]> wrote: > > I have a joyent zone (base64 62f148f8-6e84-11e4-82c5-efca60348b9f) with > allow_ip_spoofing enabled, and IPv4 forwarding enabled on the nic that is > routable to the gateway. > > I am trying to block incoming traffic (ssh in this example) and also return a > reset packet. However, I'm not seeing the RST packets being sent. Is there > something I'm missing? > > $ ssh [email protected] <mailto:[email protected]> > ssh: connect to host pool.net <http://pool.net/> port 22: Connection timed out > > [root@dmz ~]# snoop port 22 > Using device net0 (promiscuous mode) > pool.net <http://pool.net/> -> 10.0.1.254 TCP D=22 S=1025 Syn > Seq=1196993286 Len=0 Win=64512 Options=<mss 1460,nop,wscale 0,nop,nop,sackOK> > pool.net <http://pool.net/> -> 10.0.1.254 TCP D=22 S=1025 Syn > Seq=1196993286 Len=0 Win=64512 Options=<mss 1460,nop,wscale 0,nop,nop,sackOK> > pool.net <http://pool.net/> -> 10.0.1.254 TCP D=22 S=1025 Syn > Seq=1196993286 Len=0 Win=64512 Options=<mss 1460,nop,nop,sackOK> > > > ipf.conf: > block return-rst in proto tcp from any to any > > > > { > "brand": "joyent", > "alias": "dmz", > "hostname": "dmz", > "autoboot": true, > "max_physical_memory": 512, > "cpu_cap": 600, > "quota": "5", > "image_uuid": "62f148f8-6e84-11e4-82c5-efca60348b9f", > "nics": [ > { > "nic_tag": "dmz", > "ip": "10.0.1.254", > "gateway": "10.0.1.1", > "netmask": "255.255.255.0", > "primary": true > }, > { > "nic_tag": "elastic0", > "ip": "12.0.0.1", > "gateway": "12.0.0.1", > "netmask": "255.255.255.0", > "primary": false > }, > { > "nic_tag": "vpn0", > "ip": "12.0.1.1", > "gateway": "12.0.1.1", > "netmask": "255.255.255.248", > "primary": false > }, > { > "nic_tag": "vpnlan0", > "ip": "12.0.1.4", > "gateway": "12.0.1.4", > "netmask": "255.255.255.248", > "primary": false > }, > { > "nic_tag": "ssh0", > "ip": "12.0.2.1", > "gateway": "12.0.2.1", > "netmask": "255.255.255.248", > "primary": false > } > ], > "resolvers": [ > "8.8.8.8", > "8.8.4.4" > ] > } > > smartos-discuss | Archives > <https://www.listbox.com/member/archive/184463/=now> > <https://www.listbox.com/member/archive/rss/184463/26986985-d0246faa> | > Modify <https://www.listbox.com/member/?&;> Your Subscription > <http://www.listbox.com/>
smime.p7s
Description: S/MIME cryptographic signature
------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
