Re: Iptables & Default policy of Reject

To: debian-user@lists.debian.org
Subject: Re: Iptables & Default policy of Reject
From: Celejar <celejar@gmail.com>
Date: Tue, 11 Sep 2007 22:35:56 -0400
Message-id: <[🔎] 20070911223556.e32fd520.celejar@gmail.com>
In-reply-to: <[🔎] 4DEAE9EC-694C-4989-9A49-0A29ABA838E5@u.washington.edu>
References: <[🔎] 20070911091112.27fc2332.madroach@localhost> <[🔎] 4DEAE9EC-694C-4989-9A49-0A29ABA838E5@u.washington.edu>

On Tue, 11 Sep 2007 09:52:12 -0700
David Brodbeck <brodbd@u.washington.edu> wrote:

> 
> On Sep 11, 2007, at 12:11 AM, Christopher Zimmermann wrote:
> 
> > As long as I use iptables I was not able to use policies of reject. I
> > even remember the target 'REJECT' being a selectable kernel option.
> > Reject requires some ICMP action whereas DROP doesn't.
> 
> But be aware that DROP can cause unexpected side-effects in some  
> cases, because it's not what remote hosts expect.
> 
> I recall one instance where a mail server I'd configured couldn't  
> send mail to one particular system.  Both systems could freely  
> exchange mail with other places.
> 
> The problem turned out to be that I was dropping packets sent to the  
> ident port.  When my system tried to initiate an SMTP exchange, the  
> other system would try to do an ident callback against it.  Since I  
> was dropping packets instead of rejecting them, the whole transaction  
> would come to a halt while the other system waited for the ident  
> connection to time out.  By the time that happened, the SMTP daemon  
> on the other system had timed out, as well, so no mail ever got  
> delivered.
> 
> Once I started rejecting packets to ident instead, things worked,  
> since the ident callback would fail immediately.  (Actually, since I  
> didn't have the REJECT target, I just opened the ident port and then  
> made sure identd wasn't running.)

This is indeed a notorious issue.  From the shorewall FAQ:

> (FAQ 4) I just used an online port scanner to check my firewall and it shows some ports as “closed” rather than “blocked”. Why?
> 
> Answer: The default Shorewall setup invokes the Drop action prior to enforcing a DROP policy and the default policy to all zone from the internet is DROP. The Drop action is defined in /usr/share/shorewall/action.Drop which in turn invokes the Auth macro (defined in /usr/share/shorewall/macro.Auth) specifying the REJECT action (i.e., Auth/REJECT). This is necessary to prevent outgoing connection problems to services that use the “Auth” mechanism for identifying requesting users. That is the only service which the default setup rejects.

Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator

Reply to:

References:
- Re: Iptables & Default policy of Reject
  - From: Christopher Zimmermann <madroach@zakweb.de>
- Re: Iptables & Default policy of Reject
  - From: David Brodbeck <brodbd@u.washington.edu>

Prev by Date: Re: debian oriented laptot suggestions
Next by Date: Re: Thinkpad T20 wireless troubles
Previous by thread: Re: Iptables & Default policy of Reject
Next by thread: permissions problems when using libusb
Index(es):
- Date
- Thread