Re: Errors from TCP connections (was: How to build circular dependant packages in debian)

[Wouter Verhelst <wouter@debian.org>]

On Mon, Sep 20, 2021 at 11:45:06AM +0200, Bastian Blank wrote:
> On Mon, Sep 20, 2021 at 02:11:06AM +0000, Paul Wise wrote:
> > Normally one would get "Connection refused" when connecting to a port
> > that isn't open,
> 
> "Connection refused" is generated by TCP reset packets.

That, or ICMP type 1 code 3 packets ("destination port unreachable). See
below.

> >                  but at this site one gets "No route to host", as if
> > there is no network path to reach the host,
> 
> "No route to host" is generated by an ICMP error.

Specifically, by ICMP type 1 code 1 ("destination host unreachable"). It
has become fashionable to use that code to reject connection attempts,
but personally I find that to be very confusing if it's used for a
single port rather than a whole host or network.

It's possible to use the correct ICMP code in firewalls, and then
connection error messages become far less confusing:

root@pc181009:~# telnet -4 localhost 3000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
root@pc181009:~# iptables -A INPUT -p tcp --dport 3000 -j REJECT --reject-with icmp-port-unreachable
root@pc181009:~# telnet -4 localhost 3000
Trying 127.0.0.1...
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
root@pc181009:~# iptables -D INPUT -p tcp --dport 3000 -j REJECT --reject-with icmp-port-unreachable
root@pc181009:~# iptables -A INPUT -p tcp --dport 3000 -j REJECT --reject-with icmp-host-unreachable
root@pc181009:~# telnet -4 localhost 3000
Trying 127.0.0.1...
Trying 127.0.0.1...
telnet: Unable to connect to remote host: No route to host

but you do you of course ;-)

-- 
     w@uter.{be,co.za}
wouter@{grep.be,fosdem.org,debian.org}