AW: tcp rst instead of DROP

[Philipp Snizek]

>
> Hi,
>
> On Monday 01 October 2001 10:35, Philipp Snizek wrote:
> > Hi,
> >
> > I've got a multihomed host running on inet side smtpd, sshd
> and webmin. At
> > the same time it acts as an iptables firewall protecting
> the LAN (I know,
> > it's not optimal this way but I don't have a choice). To
> "camouflage" the
> > filter as a normal host is it possible to send back
> tcp-rsts which would
> > not betray the firewall on first glance instead of dropping
> the packets?
> >
>
> - -j REJECT --reject-with tcp-rst
>
> Look at the iptables man page on what other reject's there are.

Thanx for the hint. I couldn't find. I still am too much used to ipchains where -j REJECT means icmp
host/net unreachable, host or whatever prohibited.

> On the same track though, I got a question about REJECT. If I
> didn't use the
> - --reject-with option, would the REJECT target automatically
> know what type of
> response to send back? Ie, if I set up a -P FORWARD REJECT, would it
> automatically reply with a RST to TCP connections and the
> correct icmp for
> udp connections etc?

That would have been my next q.
I think we don't have to worry about udp. As a protocol that is connectionless and unreliable it
does not expect an answer back the way tcp does.


> > Thanx,
> > Philipp
>
> - --
>  -----------------------------------
> |Oskar Andreasson                   |
> |Multisoft Education AB             |
> |http://www.libendo.com             |
> |phone: +46-8-6635555               |
> |mailto: o.andreasson@libendo.com   |
>  -----------------------------------
> BOFH excuse #127:
>
> Sticky bits on disk.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE7uC2HxO3KTTz2r/kRAmF5AJ4yAUgje7LzE/7w0AY8KCMoRmsMvwCguRGe
> LYFI4fhzUDuh8oJjQ8UW3iI=
> =UUTL
> -----END PGP SIGNATURE-----
>