Firewalling in recent kernels

Thomas Omerzu (
Wed, 15 May 1996 21:52:24 +0200 (MET DST)

We tried to set up a linux-1.3.91 with packet filtering (with
IP forwarding and IP firewalling enabled).

Since we'd like to get active rejects and logging on disallowed
connections, we used a setup like:

ipfwadm -O -a accept -P tcp ...
ipfwadm -O -a accept -P tcp ...
ipfwadm -O -a reject -o -P all ...

This basically works as expected, except for two problems:

- When a disallowed connection is going to be established, the
gateway rejects it with "ICMP host unreachable".
I'm somewhat unsure whether this is a good idea, since actually
the destination host might be reachable through other ports.
(And I wouldn't be astonished if some OS takes such an ICMP as
a reason to drop all already established connections to that
Wouldn't it be better to just refuse that connection?

- If the target of a rejected connection is the gateway host,
the connection is not rejected, but blocked (i.e. no ICMP is
sent), just as if a "ipfwadm -O -a deny ..." had been set.
This is a bug, isn't it?

    Thomas Omerzu

*----------------------------------------------------------------------------* Thomas Omerzu Internet: Quantum Software GmbH Web: Emil-Figge-Str. 83 Telefon: +49-231-9749-233 Fax: -3 44227 Dortmund, Germany PGP Fingerpr: 3852EB51 9F2DB1FB 0785CE2F 8CD9C6CB