Re: PRIV: 2.1.102: ipchains: REJECT does only DENY - network gurus please

ak@muc.de
Mon, 18 May 1998 06:08:04 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Derrik: "Re: pre-2.1.100-1: can't log in, ftpd trouble, and unresolved symbols"
Previous message: Linus Torvalds: "Re: kernel profiling in 2.1 ?"
In reply to: Nicholas J. Leon: "Re: Bios"

On Sun, May 17, 1998 at 06:28:11PM +0200, Steffen Zahn wrote:
> >>>>> "ak" == ak <ak@muc.de> writes:
>
> ak> Why use firewalling at all then? The forwarder will send a
> ak> DEST_UNREACHable when it can't find a route automatically. In
> ak> extreme cases you could use a reject route.
>
> Well, I don't find the above statement to be the case (in 2.1.102).
> If I set all firewall chains to ACCEPT, i.e. ipchains -L gives:
> Chain input (policy ACCEPT):
> Chain forward (policy ACCEPT):
> Chain output (policy ACCEPT):
>
> then the packets from the client taliesin to the unreachable DNS server
> berlin.snafu.de via the server zahn get no negative ack.

What does your routing table look like? That works when you have _no_
route, but when you use dial-on-demand there is a route of course.
You could use a reject route with the source address of the private
network in your case.

-Andi

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu

Next message: Derrik: "Re: pre-2.1.100-1: can't log in, ftpd trouble, and unresolved symbols"
Previous message: Linus Torvalds: "Re: kernel profiling in 2.1 ?"
In reply to: Nicholas J. Leon: "Re: Bios"