* REJECT target faster for remote than for local packets?
@ 2012-03-27 13:51 Nils Rennebarth
2012-03-27 17:21 ` Humberto Jucá
0 siblings, 1 reply; 3+ messages in thread
From: Nils Rennebarth @ 2012-03-27 13:51 UTC (permalink / raw)
To: netfilter
Hi,
A simple firwall rule
iptables -I OUTPUT --protocol tcp --dport 80 -j REJECT
prevents local processes from making TCP connections to port 80,
and those who try will get a -ECONNREFUSED. Good.
But why do they get the error only after a few seconds? A tcpdump
shows that ICMP Packets are generated on the loopback interface:
When doing
wget http://host:80/
exactly two ICMP packets show up on lo:
15:45:11.850785 IP 10.10.10.144 > 10.10.10.144: ICMP 10.10.10.31 tcp port 80 unreachable, length 68
15:45:14.849298 IP 10.10.10.144 > 10.10.10.144: ICMP 10.10.10.31 tcp port 80 unreachable, length 68
But only the second one has an effect:
Connecting to host|10.10.10.31|:80... failed: Connection refused
My question is:
1) why?
2) is there another way to make connections to a certain set of hosts fail fast
and without delay, without changing the applications itself.
--
Mit freundlichen Grüßen / with kind regards
Nils Rennebarth, Software Developer
--
Funkwerk IP-Appliances GmbH
Mönchhaldenstraße 28
D-70191 Stuttgart
Tel: +49 711 900300 - 0
Fax: +49 711 900300 - 90
E-Mail: Nils.Rennebarth@funkwerk-ec.com
Location: GmbH Nuernberg, Local Court Nuernberg, HRB 25481
Managing Directors: Torsten Urban
--------------------------------
The information contained in this e-mail has been carefully researched,
but the possibility of it being inapplicable in individual cases cannot
be ruled out. We therefore regret that we cannot accept responsibility
or liability of any kind whatsoever for the correctness of the
information given. Please notify us if you discover that information is
inapplicable.
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: REJECT target faster for remote than for local packets?
2012-03-27 13:51 REJECT target faster for remote than for local packets? Nils Rennebarth
@ 2012-03-27 17:21 ` Humberto Jucá
2012-03-27 17:45 ` Nils Rennebarth
0 siblings, 1 reply; 3+ messages in thread
From: Humberto Jucá @ 2012-03-27 17:21 UTC (permalink / raw)
To: Nils Rennebarth; +Cc: netfilter
Hi,
For TCP connections, try to do with "-j REJECT --reject-with tcp-reset".
Its faster then port unreachable!
2012/3/27 Nils Rennebarth <nils.rennebarth@funkwerk-ec.com>:
> Hi,
>
> A simple firwall rule
> iptables -I OUTPUT --protocol tcp --dport 80 -j REJECT
> prevents local processes from making TCP connections to port 80,
> and those who try will get a -ECONNREFUSED. Good.
>
> But why do they get the error only after a few seconds? A tcpdump
> shows that ICMP Packets are generated on the loopback interface:
>
> When doing
> wget http://host:80/
> exactly two ICMP packets show up on lo:
> 15:45:11.850785 IP 10.10.10.144 > 10.10.10.144: ICMP 10.10.10.31 tcp port 80 unreachable, length 68
> 15:45:14.849298 IP 10.10.10.144 > 10.10.10.144: ICMP 10.10.10.31 tcp port 80 unreachable, length 68
> But only the second one has an effect:
>
> Connecting to host|10.10.10.31|:80... failed: Connection refused
>
> My question is:
> 1) why?
> 2) is there another way to make connections to a certain set of hosts fail fast
> and without delay, without changing the applications itself.
>
> --
>
> Mit freundlichen Grüßen / with kind regards
>
> Nils Rennebarth, Software Developer
>
> --
> Funkwerk IP-Appliances GmbH
> Mönchhaldenstraße 28
> D-70191 Stuttgart
>
> Tel: +49 711 900300 - 0
> Fax: +49 711 900300 - 90
>
> E-Mail: Nils.Rennebarth@funkwerk-ec.com
>
> Location: GmbH Nuernberg, Local Court Nuernberg, HRB 25481
> Managing Directors: Torsten Urban
> --------------------------------
> The information contained in this e-mail has been carefully researched,
> but the possibility of it being inapplicable in individual cases cannot
> be ruled out. We therefore regret that we cannot accept responsibility
> or liability of any kind whatsoever for the correctness of the
> information given. Please notify us if you discover that information is
> inapplicable.
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: REJECT target faster for remote than for local packets?
2012-03-27 17:21 ` Humberto Jucá
@ 2012-03-27 17:45 ` Nils Rennebarth
0 siblings, 0 replies; 3+ messages in thread
From: Nils Rennebarth @ 2012-03-27 17:45 UTC (permalink / raw)
To: Humberto Jucá; +Cc: netfilter@vger.kernel.org
On 27.03.2012 19:21, Humberto Jucá wrote:
> Hi,
>
>> iptables -I OUTPUT --protocol tcp --dport 80 -j REJECT
> For TCP connections, try to do with "-j REJECT --reject-with tcp-reset".
> Its faster then port unreachable!
Makes no difference here. Takes 3 seconds, exactly the time to the next
SYN packet.
Oh well, that is true for the 2.6.32 kernel. But for the 3.2.0 kernel,
it really does make a difference:
with --reject-with icmp-port-unreachable it takes only 1 second
and with --reject-with tcp-reset the reaction is instantaneous
(i.e. 32ms)
What exactly did change in the kernel and when?
--
Mit freundlichen Grüßen / with kind regards
Nils Rennebarth, Software Developer
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-03-27 17:45 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-03-27 13:51 REJECT target faster for remote than for local packets? Nils Rennebarth
2012-03-27 17:21 ` Humberto Jucá
2012-03-27 17:45 ` Nils Rennebarth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).