Andrew Brooks
2003-Oct-31 09:32 UTC
[Shorewall-users] REJECT accepts connection before sending RST ?
Hi, I''m trying to configure my SMTP port to REJECT connections by simply sending a RST. This is what I believe the REJECT command in the rules file should do. ie. input SYN, output RST However it appears to be accepting the connection before rejecting it, ie. input SYN, output SYN ACK, then input ACK, output RST. How can I configure it to operate in the former style? (I''ve searched the docs but they seem to imply it already works like that!) (Currently running shorewall version 1.2.8) Thanks, Andrew
Tom Eastep
2003-Oct-31 09:38 UTC
[Shorewall-users] REJECT accepts connection before sending RST ?
On Fri, 2003-10-31 at 09:26, Andrew Brooks wrote:> Hi, > > I''m trying to configure my SMTP port to REJECT connections by > simply sending a RST. This is what I believe the REJECT command > in the rules file should do. ie. input SYN, output RST > > However it appears to be accepting the connection before rejecting it, > ie. input SYN, output SYN ACK, then input ACK, output RST. > > How can I configure it to operate in the former style? (I''ve searched > the docs but they seem to imply it already works like that!) > > (Currently running shorewall version 1.2.8)That is a kernel function and not a Shorewall function. The REJECT iptables target has been broken in several recent 2.4.x kernels although it appears to work properly in 2.4.22 and the 2.4.23-pre kernels. Which kernel are you currently running? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Oct-31 11:03 UTC
[Shorewall-users] REJECT accepts connection before sending RST ?
On Fri, 2003-10-31 at 09:38, Tom Eastep wrote:> > That is a kernel function and not a Shorewall function. The REJECT > iptables target has been broken in several recent 2.4.x kernels although > it appears to work properly in 2.4.22 and the 2.4.23-pre kernels.I also seem to recall seeing a patch fixing a REJECT problem on 2.6.0-test kernels. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net