Re: PRIV: 2.1.102: ipchains: REJECT does only DENY - network gurus please

Steffen Zahn (
Mon, 18 May 1998 07:16:56 +0200

>>>>> "ak" == ak <> writes:

ak> On Sun, May 17, 1998 at 06:28:11PM +0200, Steffen Zahn wrote:
>> >>>>> "ak" == ak <> writes:
ak> Why use firewalling at all then? The forwarder will send a
ak> DEST_UNREACHable when it can't find a route automatically. In
ak> extreme cases you could use a reject route.
>> Well, I don't find the above statement to be the case (in
>> 2.1.102). If I set all firewall chains to ACCEPT, i.e. ipchains
>> -L gives: Chain input (policy ACCEPT): Chain forward (policy
>> ACCEPT): Chain output (policy ACCEPT):
>> then the packets from the client taliesin to the unreachable DNS
>> server via the server zahn get no negative ack.

ak> What does your routing table look like? That works when you have
ak> _no_ route, but when you use dial-on-demand there is a route of
ak> course. You could use a reject route with the source address of
ak> the private network in your case.

In the case of offline operation (not connected to ISP):
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface * U 0 0 0 eth0

So I have no route to (DNS-server) as long as I am offline.
In the online case the ipppd will set a default route and
the DNS-server will be reachable.

But getting back to the original point:
why do I need a route to B in order to tell A that I cannot reach
B. I find this puts to much restrictions on the firewall feature.


home email:  user@domain where, user=zahn
Use of my address for unsolicited commercial advertising is forbidden.
      2^3021377 - 1     |     "Where do you want to crash today?"

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to