ak> On Sun, May 17, 1998 at 06:28:11PM +0200, Steffen Zahn wrote:
>> >>>>> "ak" == ak <ak@muc.de> writes:
>>
ak> Why use firewalling at all then? The forwarder will send a
ak> DEST_UNREACHable when it can't find a route automatically. In
ak> extreme cases you could use a reject route.
>> Well, I don't find the above statement to be the case (in
>> 2.1.102). If I set all firewall chains to ACCEPT, i.e. ipchains
>> -L gives: Chain input (policy ACCEPT): Chain forward (policy
>> ACCEPT): Chain output (policy ACCEPT):
>>
>> then the packets from the client taliesin to the unreachable DNS
>> server berlin.snafu.de via the server zahn get no negative ack.
ak> What does your routing table look like? That works when you have
ak> _no_ route, but when you use dial-on-demand there is a route of
ak> course. You could use a reject route with the source address of
ak> the private network in your case.
In the case of offline operation (not connected to ISP):
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
So I have no route to 194.64.64.1 (DNS-server) as long as I am offline.
In the online case the ipppd will set a default route and
the DNS-server will be reachable.
But getting back to the original point:
why do I need a route to B in order to tell A that I cannot reach
B. I find this puts to much restrictions on the firewall feature.
Regards
Steffen
-- home email: user@domain where domain=berlin.snafu.de, user=zahn Use of my address for unsolicited commercial advertising is forbidden. 2^3021377 - 1 | "Where do you want to crash today?"- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu