Re: PRIV: 2.1.102: ipchains: REJECT does only DENY - network gurus please

Steffen Zahn (zahn@berlin.snafu.de)
Mon, 18 May 1998 23:42:33 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Andrea Arcangeli: "Re: parport increases irq count continuously (2.1.102-SMP)"
Previous message: Chris Evans: "2.0.34p15"

Hello,

I tried your patch.

1. ipchains can now reject packets, that have destinations for which there
is no route.

22:27:42.550861 taliesin.1027 > berlin.snafu.de.nameserver: 64317+ (32)
22:27:42.551050 zahn > taliesin: icmp: berlin.snafu.de udp port nameserver unreachable [tos 0xc0]
22:27:42.551501 taliesin.1027 > berlin.snafu.de.nameserver: 64317+ (32)
22:27:42.551614 zahn > taliesin: icmp: berlin.snafu.de udp port nameserver unreachable [tos 0xc0]

but for some reason it generates a packet storm of > 100 DNS packets and
the same number of icmp packets in the same second. As far as the application
on the client (netscape) is concerned the behaviour looks fine now,
i.e. error message window opens immediately etc.

syslog:
May 18 23:27:42 zahn vmunix: Packet log: input REJECT eth0 PROTO=17 192.168.0.2:1027 194.64.64.1:53 L=60 S=0x00 I=47349 F=0x0000 T=64
May 18 23:27:42 zahn vmunix: Packet log: input REJECT eth0 PROTO=17 192.168.0.2:1027 194.64.64.1:53 L=60 S=0x00 I=47350 F=0x0000 T=64

2. empty firewall rulesets accepting all packets, no masquerading,
client sends packet via server, server has no route for that packet:

22:28:58.225743 taliesin.1027 > berlin.snafu.de.nameserver: 64331+ (32)
22:28:58.225826 zahn > taliesin: icmp: net berlin.snafu.de unreachable [tos 0xc0]
22:29:03.220040 arp who-has taliesin tell zahn
22:29:03.220211 arp reply taliesin is-at 0:60:97:b4:8:52
22:29:03.230061 taliesin.1027 > berlin.snafu.de.nameserver: 64331+ (32)
22:29:03.230148 zahn > taliesin: icmp: net berlin.snafu.de unreachable [tos 0xc0]
22:29:13.239859 taliesin.1027 > berlin.snafu.de.nameserver: 64331+ (32)
22:29:13.239932 zahn > taliesin: icmp: net berlin.snafu.de unreachable [tos 0xc0]

in this case the client application (netscape) shows no visual reaction.
No packet storm in this case.

Regards
Steffen

-- home email: user@domain where domain=berlin.snafu.de, user=zahn Use of my address for unsolicited commercial advertising is forbidden. 2^3021377 - 1 | "Where do you want to crash today?"

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu

Next message: Andrea Arcangeli: "Re: parport increases irq count continuously (2.1.102-SMP)"
Previous message: Chris Evans: "2.0.34p15"