On 5/25/06, Fridtjof Busse <[EMAIL PROTECTED]> wrote:
* "Bill Marquette" <[EMAIL PROTECTED]>:
> Add a "reject" rule at the bottom of your ruleset.
One more thing: How is this supposed to work for the internal
interface?
The default rule already allows all traffic, still the machine doesn't
reject traffic to "not open ports" on it's LAN interface:
'telnet $int_interface 81' will not end up in a "connection refused".
That's an OS feature to not generate the reset. The behaviour can be
changed in /etc/sysctl.conf
# Do not send RSTs for packets to closed ports
net.inet.tcp.blackhole=2
# Do not send ICMP port unreach messages for closed ports
net.inet.udp.blackhole=1
This is particular annoying if you switch to the https-webfrontend and
accidentily type http instead of https, your browser will run into a
timeout instead of a "connection refused"...
Change the sysctl or setup a rule on the LAN interface to allow to
port 443 and another to reject anything to the LAN IP.
BTW: Even if I define a rule as reject, it still has the "block-icon"
instead of the yellow "reject" (on firewall_rules.php). Bug or feature?
That may be a display bug, we can look into it.
--Bill
