Since we'd like to get active rejects and logging on disallowed
connections, we used a setup like:
ipfwadm -O -a accept -P tcp ...
ipfwadm -O -a accept -P tcp ...
...
ipfwadm -O -a reject -o -P all ...
This basically works as expected, except for two problems:
- When a disallowed connection is going to be established, the
gateway rejects it with "ICMP host unreachable".
I'm somewhat unsure whether this is a good idea, since actually
the destination host might be reachable through other ports.
(And I wouldn't be astonished if some OS takes such an ICMP as
a reason to drop all already established connections to that
destination.)
Wouldn't it be better to just refuse that connection?
- If the target of a rejected connection is the gateway host,
the connection is not rejected, but blocked (i.e. no ICMP is
sent), just as if a "ipfwadm -O -a deny ..." had been set.
This is a bug, isn't it?
-- *----------------------------------------------------------------------------* Thomas Omerzu Internet: omerzu@quantum.de Quantum Software GmbH Web: http://www.quantum.de/pub/to.html Dortmund, Germany Telefon: +49-231-9749-233 Fax: -3