Is it possible to specify the action taken on reject? I believe netfilter sends an ICMP "destination unreachable" message, but I''d like to configure shorewall to reject TCP connections to specific ports using a TCP RST packet. Any idea? Thanks, Riccardo
On Monday 07 January 2002 06:29 am, Riccardo Valente wrote:> Is it possible to specify the action taken on reject? I believe netfilter > sends an ICMP "destination unreachable" message, but I''d like to configure > shorewall to reject TCP connections to specific ports using a TCP RST > packet. Any idea? >The later versions of Shorewall already do that (unless you''ve found a case=20 that I missed). -Tom --=20 Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net -------------------------------------------
You were right: I wasn''t using a recent version, it''s now working as expected. Many thanks, Riccardo ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Riccardo Valente" <riccardo@thevalentes.net>; <shorewall-users@shorewall.net> Sent: Monday, January 07, 2002 2:54 PM Subject: Re: [Shorewall-users] reject with tcp rst> On Monday 07 January 2002 06:29 am, Riccardo Valente wrote: > > Is it possible to specify the action taken on reject? I believenetfilter> > sends an ICMP "destination unreachable" message, but I''d like toconfigure> > shorewall to reject TCP connections to specific ports using a TCP RST > > packet. Any idea? > > > > The later versions of Shorewall already do that (unless you''ve found acase> that I missed). > > -Tom > -- > Tom Eastep \ A Firewall for Linux 2.4.* > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net > ------------------------------------------- >
On Monday 07 January 2002 06:54 am, Tom Eastep wrote:> On Monday 07 January 2002 06:29 am, Riccardo Valente wrote: > > Is it possible to specify the action taken on reject? I believe netfilter > > sends an ICMP "destination unreachable" message, but I''d like to > > configure shorewall to reject TCP connections to specific ports using a > > TCP RST packet. Any idea? > > The later versions of Shorewall already do that (unless you''ve found a case > that I missed).I DID miss the case of a REJECT policy (such as usually found in the all2all=20 chain). I''ve placed a corrected fireall script at: ftp://ftp.shorewall.net/pub/shorewall/errata/1.2.2/firewall Place the script in the location pointed to by the symbolic link=20 /etc/shorewall/firewall. -Tom --=20 Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net -------------------------------------------