quando.linux-kernel: Firewalling in recent kernels

linuxk@quantum.de
15 May 1996 20:55:41 GMT


We tried to set up a linux-1.3.91 with packet filtering (with
IP forwarding and IP firewalling enabled).

Since we'd like to get active rejects and logging on disallowed
connections, we used a setup like:

ipfwadm -O -a accept -P tcp ...
ipfwadm -O -a accept -P tcp ...
...
ipfwadm -O -a reject -o -P all ...

This basically works as expected, except for two problems:

- When a disallowed connection is going to be established, the
gateway rejects it with "ICMP host unreachable".
I'm somewhat unsure whether this is a good idea, since actually
the destination host might be reachable through other ports.
(And I wouldn't be astonished if some OS takes such an ICMP as
a reason to drop all already established connections to that
destination.)
Wouldn't it be better to just refuse that connection?

- If the target of a rejected connection is the gateway host,
the connection is not rejected, but blocked (i.e. no ICMP is
sent), just as if a "ipfwadm -O -a deny ..." had been set.
This is a bug, isn't it?

-- 
*----------------------------------------------------------------------------*
      Thomas Omerzu        Internet:   omerzu@quantum.de
  Quantum Software GmbH    Web:        http://www.quantum.de/pub/to.html
    Dortmund, Germany      Telefon:    +49-231-9749-233      Fax: -3