[CLUE-Tech] Here's an idea.
David Anselmi
anselmi at americanisp.net
Tue Apr 22 14:06:12 MDT 2003
Keith Hellman wrote:
[...]
>
> I dunno. I know that REJECT naks the syn (is that right?) instead of
> just ignoring it. But in this scenario, we are talking about a
> connection that is already past the hand shake...
>
> ...wait a minute...
>
> Just tried iptables -F INPUT && iptables -A INPUT -j REJECT,
> (I lost the ssh connection), but it came back to life after I restored
> the correct rules. The man page says that REJECT==DROP accept that it
> naks the syn packet - perhaps this is result should be expected.
Well, the HOWTO says that REJECT sends an ICMP error back. My man page
doesn't say anything about naks. But I don't know what happens to an
established connection that gets an ICMP error (port unreachable, say).
You can set TCP rules to return RST, which should have the obvious result.
Dave
More information about the clue-tech
mailing list