Hi,
For TCP connections, try to do with "-j REJECT --reject-with tcp-reset".
Its faster then port unreachable!
2012/3/27 Nils Rennebarth <nils.rennebarth@xxxxxxxxxxxxxxx>:
> Hi,
>
> A simple firwall rule
> iptables -I OUTPUT --protocol tcp --dport 80 -j REJECT
> prevents local processes from making TCP connections to port 80,
> and those who try will get a -ECONNREFUSED. Good.
>
> But why do they get the error only after a few seconds? A tcpdump
> shows that ICMP Packets are generated on the loopback interface:
>
> When doing
> wget http://host:80/
> exactly two ICMP packets show up on lo:
> 15:45:11.850785 IP 10.10.10.144 > 10.10.10.144: ICMP 10.10.10.31 tcp port 80 unreachable, length 68
> 15:45:14.849298 IP 10.10.10.144 > 10.10.10.144: ICMP 10.10.10.31 tcp port 80 unreachable, length 68
> But only the second one has an effect:
>
> Connecting to host|10.10.10.31|:80... failed: Connection refused
>
> My question is:
> 1) why?
> 2) is there another way to make connections to a certain set of hosts fail fast
> and without delay, without changing the applications itself.
>
> --
>
> Mit freundlichen Grüßen / with kind regards
>
> Nils Rennebarth, Software Developer
>
> --
> Funkwerk IP-Appliances GmbH
> Mönchhaldenstraße 28
> D-70191 Stuttgart
>
> Tel: +49 711 900300 - 0
> Fax: +49 711 900300 - 90
>
> E-Mail: Nils.Rennebarth@xxxxxxxxxxxxxxx
>
> Location: GmbH Nuernberg, Local Court Nuernberg, HRB 25481
> Managing Directors: Torsten Urban
> --------------------------------
> The information contained in this e-mail has been carefully researched,
> but the possibility of it being inapplicable in individual cases cannot
> be ruled out. We therefore regret that we cannot accept responsibility
> or liability of any kind whatsoever for the correctness of the
> information given. Please notify us if you discover that information is
> inapplicable.
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
[Linux Netfilter Development]
[Linux Kernel Networking Development]
[Linux Networking Development]
[Linux Kernel Development]
[Linux Resources]
[LARTC]
[Bugtraq]
[Consulting]
[Free Internet Dating]
[Yosemite Forum]
[Photo]
