REJECT sends more than just RST?

REJECT sends more than just RST?

[Andrew Brooks]

Hi,

I'm trying to reject SMTP connections by sending a RST but it
seems to be sending SYN ACK before sending RST which isn't what
I want.  I'm using shorewall 1.2.8 and kernel 2.4.18.  Is this
a known problem, and, if so, which release fixes it?

Thanks,

Andrew.

Re: REJECT sends more than just RST?

[Antony Stone]

On Thursday 06 November 2003 12:54 pm, Andrew Brooks wrote:

> Hi,
>
> I'm trying to reject SMTP connections by sending a RST but it
> seems to be sending SYN ACK before sending RST which isn't what
> I want.  I'm using shorewall 1.2.8 and kernel 2.4.18.  Is this
> a known problem, and, if so, which release fixes it?

What rule/s are you attempting to use to do this?

I would have thought something like:

iptables -A INPUT (or FORWARD, depending on your setup) -p tcp --dport 25 -j 
REJECT --reject-with=tcp-reset

should do the trick?

Antony.

-- 

Perfection in design is achieved not when there is nothing left to add,
but rather when there is nothing left to take away.

 - Antoine de Saint-Exupery
                                                     Please reply to the list;
                                                           please don't CC me.

Re: REJECT sends more than just RST?

[Antony Stone]

On Friday 07 November 2003 5:10 pm, Andrew Brooks wrote:

> Antony Stone wrote:
> > Andrew Brooks wrote:
> > > I'm trying to reject SMTP connections by sending a RST but it
> > > seems to be sending SYN ACK before sending RST which isn't what
> > > I want.  I'm using shorewall 1.2.8 and kernel 2.4.18.  Is this
> > > a known problem, and, if so, which release fixes it?
> >
> > What rule/s are you attempting to use to do this?
> >
> > I would have thought something like:
> >
> > iptables -A INPUT (or FORWARD, depending on your setup) -p tcp --dport 25
> > -j REJECT --reject-with=tcp-reset
> >
> > should do the trick?
>
> Thanks very much for your reply.
>
> Unfortunately I'm using Shorewall to generate the rules so I don't
> know exactly what it's using.  However I suspect it's not specifying
> any --reject-with argument, maybe because there wasn't any such
> option in the 2.4.18 kernel.

Er, yes there was.   --reject-with has been around for a long time.

> Anyway I was wondering whether the effect I am seeing is due to a
> known, and fixed, problem?  The shorewall author has said that there
> have been other REJECT-related bugs too, so I'm understandly reluctant
> to simply try a new kernel for the sake of it, unless I know it will
> fix the problem and not break anything else!

If you're talking to the shorewall author (is that Tom Eastep?), you should 
be able to find out exactly what rule is being used (assuming it's not 
possible for you to find out from a running system?), so you can tell whether 
the behaviour is as expected or not.

Antony.

-- 

There's no such thing as bad weather - only the wrong clothes.

 - Billy Connolly
                                                     Please reply to the list;
                                                           please don't CC me.