ak> Why use firewalling at all then? The forwarder will send a
ak> DEST_UNREACHable when it can't find a route automatically. In
ak> extreme cases you could use a reject route.
Well, I don't find the above statement to be the case (in 2.1.102).
If I set all firewall chains to ACCEPT, i.e. ipchains -L gives:
Chain input (policy ACCEPT):
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):
then the packets from the client taliesin to the unreachable DNS server
berlin.snafu.de via the server zahn get no negative ack.
tcpdump in this case:
17:17:38.288219 arp who-has zahn tell taliesin
17:17:38.288370 arp reply zahn is-at 0:60:97:b4:8:83
17:17:38.288541 taliesin.1029 > berlin.snafu.de.nameserver: 1+ (37)
17:17:43.321813 taliesin.1029 > berlin.snafu.de.nameserver: 1+ (37)
Regards
Steffen
-- home email: user@domain where domain=berlin.snafu.de, user=zahn Use of my address for unsolicited commercial advertising is forbidden. 2^3021377 - 1 | "Where do you want to crash today?"- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu