[CLUE-Tech] Here's an idea.
Keith Hellman
kehellman at yahoo.com
Tue Apr 22 21:28:26 MDT 2003
On Tue, Apr 22, 2003 at 02:06:12PM -0600, David Anselmi wrote:
> Keith Hellman wrote:
> [...]
> >
> >I dunno. I know that REJECT naks the syn (is that right?) instead of
> >just ignoring it. But in this scenario, we are talking about a
> >connection that is already past the hand shake...
> >
> >...wait a minute...
> >
> >Just tried iptables -F INPUT && iptables -A INPUT -j REJECT,
> >(I lost the ssh connection), but it came back to life after I restored
> >the correct rules. The man page says that REJECT==DROP accept that it
> >naks the syn packet - perhaps this is result should be expected.
>
> Well, the HOWTO says that REJECT sends an ICMP error back. My man page
> doesn't say anything about naks. But I don't know what happens to an
> established connection that gets an ICMP error (port unreachable, say).
>
Thats what I meant, in that I was using 'nak' as a generic term, not
something specific to TCP.
I would think that if an *established* connection got an ICMP port
unreachable error, it would be ignored. The connection is already
established - the ICMP could have had its arrival delayed from a
previous connection attempt (I'm referring to within the same connect()
call, multiple SYNs can go out).
I dunno if there are any ICMP error types that are valid after a TCP
connection is established - I just don't know the protocol that well.
I didn't sniff the wire to see if my established connection was
eliciting any ICMP errors from the my notebook AFTER I inserted the
REJECT rule. Perhaps tommorro...
--
Keith Hellman #include <disclaimer.h>
kehellman at yahoo.com from disclaimer import standard
"We are born wet, naked, and hungry. Then things get worse."
--Unknown
More information about the clue-tech
mailing list