REJECT target faster for remote than for local packets?
|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
Hi, A simple firwall rule iptables -I OUTPUT --protocol tcp --dport 80 -j REJECT prevents local processes from making TCP connections to port 80, and those who try will get a -ECONNREFUSED. Good. But why do they get the error only after a few seconds? A tcpdump shows that ICMP Packets are generated on the loopback interface: When doing wget http://host:80/ exactly two ICMP packets show up on lo: 15:45:11.850785 IP 10.10.10.144 > 10.10.10.144: ICMP 10.10.10.31 tcp port 80 unreachable, length 68 15:45:14.849298 IP 10.10.10.144 > 10.10.10.144: ICMP 10.10.10.31 tcp port 80 unreachable, length 68 But only the second one has an effect: Connecting to host|10.10.10.31|:80... failed: Connection refused My question is: 1) why? 2) is there another way to make connections to a certain set of hosts fail fast and without delay, without changing the applications itself. -- Mit freundlichen Grüßen / with kind regards Nils Rennebarth, Software Developer -- Funkwerk IP-Appliances GmbH Mönchhaldenstraße 28 D-70191 Stuttgart Tel: +49 711 900300 - 0 Fax: +49 711 900300 - 90 E-Mail: Nils.Rennebarth@xxxxxxxxxxxxxxx Location: GmbH Nuernberg, Local Court Nuernberg, HRB 25481 Managing Directors: Torsten Urban -------------------------------- The information contained in this e-mail has been carefully researched, but the possibility of it being inapplicable in individual cases cannot be ruled out. We therefore regret that we cannot accept responsibility or liability of any kind whatsoever for the correctness of the information given. Please notify us if you discover that information is inapplicable. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html