Reject all the interfaces

Linux Netfilter discussions
 help / color / mirror / Atom feed

* Reject all the interfaces
@ 2004-12-22  3:23 Erico Augusto
  2004-12-22  4:05 ` Jason Opperisano
  0 siblings, 1 reply; 2+ messages in thread
From: Erico Augusto @ 2004-12-22  3:23 UTC (permalink / raw)
  To: netfilter

Hi,

I had the simple task to block the connection of 3 workstation(loopback
and eth0) after a certain hour. So, I decided to put the single rule:

iptables -I OUTPUT -j REJECT --reject-with icmp-host-prohibited

After that, a friend of mine told me the following:

It's better to reject the eth0 only, because, with the rule above, I'm
blocking the loopback also, and the services that depends on that
"interface", such as all the unix sockets based applications.

That is my doubt. I read a lot of documentation about the netfilter
architecture, but there is that gap of knowledge. The documentation
never speaks about the differences between unix and tcp sockets.

Instead of search directly in google,I decided to ask here in netfilter
list: Where can I find that kind of information(nefilter x unix/tcp
sockets)?

Thanks,

Erico.

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Reject all the interfaces
  2004-12-22  3:23 Reject all the interfaces Erico Augusto
@ 2004-12-22  4:05 ` Jason Opperisano
  0 siblings, 0 replies; 2+ messages in thread
From: Jason Opperisano @ 2004-12-22  4:05 UTC (permalink / raw)
  To: netfilter

On Tue, 2004-12-21 at 22:23, Erico Augusto wrote:
> Hi,
> 
> I had the simple task to block the connection of 3 workstation(loopback
> and eth0) after a certain hour. So, I decided to put the single rule:
> 
> iptables -I OUTPUT -j REJECT --reject-with icmp-host-prohibited
> 
> After that, a friend of mine told me the following:
> 
> It's better to reject the eth0 only, because, with the rule above, I'm
> blocking the loopback also, and the services that depends on that
> "interface", 

remove the quotes--lo is a real interface just like eth0.  i agree with
your friend that blocking all packets on lo is a very bad idea if these
are workstations.  since unix windowing environments are network
client/server architecture, blocking packets on lo has interesting side
effects like not being able to use your keyboard anymore (yes--i did
this once).  also--if you're trying to block outbound network
connections, blocking lo isn't helping you achieve this result.

> such as all the unix sockets based applications.

unix domain sockets have nothing to do with the loopback interface.

> That is my doubt. I read a lot of documentation about the netfilter
> architecture, but there is that gap of knowledge. The documentation
> never speaks about the differences between unix and tcp sockets.

because netfilter doesn't deal with unix domain sockets.  the netfilter 
documentation never speaks about IPX/SPX or AppleTalk either, but i
don't consider that to be a short-coming.

> Instead of search directly in google,I decided to ask here in netfilter
> list: Where can I find that kind of information(nefilter x unix/tcp
> sockets)?

by searching google.  or reading stevens' vol. 3  

-j

--
"Me fail English? That's unpossible."
	--The Simpsons

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2004-12-22  4:05 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-12-22  3:23 Reject all the interfaces Erico Augusto
2004-12-22  4:05 ` Jason Opperisano

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox