Re: Iptables & Default policy of Reject
On Tue, 11 Sep 2007 09:52:12 -0700
David Brodbeck <brodbd@u.washington.edu> wrote:
>
> On Sep 11, 2007, at 12:11 AM, Christopher Zimmermann wrote:
>
> > As long as I use iptables I was not able to use policies of reject. I
> > even remember the target 'REJECT' being a selectable kernel option.
> > Reject requires some ICMP action whereas DROP doesn't.
>
> But be aware that DROP can cause unexpected side-effects in some
> cases, because it's not what remote hosts expect.
>
> I recall one instance where a mail server I'd configured couldn't
> send mail to one particular system. Both systems could freely
> exchange mail with other places.
>
> The problem turned out to be that I was dropping packets sent to the
> ident port. When my system tried to initiate an SMTP exchange, the
> other system would try to do an ident callback against it. Since I
> was dropping packets instead of rejecting them, the whole transaction
> would come to a halt while the other system waited for the ident
> connection to time out. By the time that happened, the SMTP daemon
> on the other system had timed out, as well, so no mail ever got
> delivered.
>
> Once I started rejecting packets to ident instead, things worked,
> since the ident callback would fail immediately. (Actually, since I
> didn't have the REJECT target, I just opened the ident port and then
> made sure identd wasn't running.)
This is indeed a notorious issue. From the shorewall FAQ:
> (FAQ 4) I just used an online port scanner to check my firewall and it shows some ports as “closed” rather than “blocked”. Why?
>
> Answer: The default Shorewall setup invokes the Drop action prior to enforcing a DROP policy and the default policy to all zone from the internet is DROP. The Drop action is defined in /usr/share/shorewall/action.Drop which in turn invokes the Auth macro (defined in /usr/share/shorewall/macro.Auth) specifying the REJECT action (i.e., Auth/REJECT). This is necessary to prevent outgoing connection problems to services that use the “Auth” mechanism for identifying requesting users. That is the only service which the default setup rejects.
Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator
Reply to: