Re: PRIV: 2.1.102: ipchains: REJECT does only DENY - network gurus please

Steffen Zahn (
Sun, 17 May 1998 18:28:11 +0200

>>>>> "ak" == ak <> writes:

ak> Why use firewalling at all then? The forwarder will send a
ak> DEST_UNREACHable when it can't find a route automatically. In
ak> extreme cases you could use a reject route.

Well, I don't find the above statement to be the case (in 2.1.102).
If I set all firewall chains to ACCEPT, i.e. ipchains -L gives:
Chain input (policy ACCEPT):
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):

then the packets from the client taliesin to the unreachable DNS server via the server zahn get no negative ack.

tcpdump in this case:

17:17:38.288219 arp who-has zahn tell taliesin
17:17:38.288370 arp reply zahn is-at 0:60:97:b4:8:83
17:17:38.288541 taliesin.1029 > 1+ (37)
17:17:43.321813 taliesin.1029 > 1+ (37)


home email:  user@domain where, user=zahn
Use of my address for unsolicited commercial advertising is forbidden.
      2^3021377 - 1     |     "Where do you want to crash today?"

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to