On Mon, Sep 20, 2021 at 11:45:06AM +0200, Bastian Blank wrote: > On Mon, Sep 20, 2021 at 02:11:06AM +0000, Paul Wise wrote: > > Normally one would get "Connection refused" when connecting to a port > > that isn't open, > > "Connection refused" is generated by TCP reset packets.
That, or ICMP type 1 code 3 packets ("destination port unreachable). See below. > > but at this site one gets "No route to host", as if > > there is no network path to reach the host, > > "No route to host" is generated by an ICMP error. Specifically, by ICMP type 1 code 1 ("destination host unreachable"). It has become fashionable to use that code to reject connection attempts, but personally I find that to be very confusing if it's used for a single port rather than a whole host or network. It's possible to use the correct ICMP code in firewalls, and then connection error messages become far less confusing: root@pc181009:~# telnet -4 localhost 3000 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. ^] telnet> quit Connection closed. root@pc181009:~# iptables -A INPUT -p tcp --dport 3000 -j REJECT --reject-with icmp-port-unreachable root@pc181009:~# telnet -4 localhost 3000 Trying 127.0.0.1... Trying 127.0.0.1... telnet: Unable to connect to remote host: Connection refused root@pc181009:~# iptables -D INPUT -p tcp --dport 3000 -j REJECT --reject-with icmp-port-unreachable root@pc181009:~# iptables -A INPUT -p tcp --dport 3000 -j REJECT --reject-with icmp-host-unreachable root@pc181009:~# telnet -4 localhost 3000 Trying 127.0.0.1... Trying 127.0.0.1... telnet: Unable to connect to remote host: No route to host but you do you of course ;-) -- w@uter.{be,co.za} wouter@{grep.be,fosdem.org,debian.org}