REJECT patch

From kadlec@blackhole.kfki.hu Mon Sep 17 10:17:31 2001
Date: Wed, 10 May 2000 22:43:34 +0200 (CEST)
From: Jozsef Kadlecsik 
To: Toth Csaba 
Cc: Multiple recipients of list NETFILTER 
Subject: Re: router

Hello,

On Wed, 10 May 2000, Toth Csaba wrote:

> Many people said: "we are talking about firewalls/packet filters but not
> routers"
> 
> I think a linux packet filter is a router box too in most cases!!

But even in that case, it is primarily a firewall and not a router:
side effect.

IMHO, the job for a router is to make all effort to pass the packets to
the right direction. If it fails for some reasons it may drop packets 
and/or may (must?) notify the sender about it by sending back proper ICMP
messages.

However the job for a firewall is to strictly *controll* the traffic
according to the security requirements of the site. To do it properly, it
must drop packets, it must alter packets (NAT, etc.) and do whatever is
appropriate to enforce the security requirements. At dropping packets and
aborting connections, it must do it as efficiently as possible - thus
some of us argue for an option to REJECT with RST.

By the way, in some cases the current REJECT mode (send back an ICMP port
unreachable packet) is equal to DROP, i.e. practically hasn't got the
desired effect. 

In February I tested how a couple of OS react when receiving different
kind of TCP connection rejections. The tests were very simple: telnet from
the given OS and watch wether the telnet session is aborted at once (with
a proper or not so proper error message) or it waits for a timeout at
retrying opening the connection. 

The results were as follows:

Reject with	net unr.    host unr.    proto unr.    port unr.    TCP RST

Tested OS:
Linux 2.x.x	abort 	    abort        abort         abort        abort 
FreeBSD 3.3	abort       abort        abort         abort        abort 
HP-UX 9.01	abort       abort        abort         abort        abort 
ULTRIX 4.3/4.4	abort 	    abort        abort         abort        abort 
Solaris 2.6/7	ignore      ignore       abort         abort        abort 
Windows 98/NT	ignore      ignore       abort         ignore       abort 
AIX 4.2/4.3	ignore      ignore       ignore        ignore       abort 
IRIX 6.2	ignore      ignore       ignore        ignore       abort 
OSF1 4.0	ignore      ignore       ignore        ignore       abort 

In plain English: the given versions of Windows 98/NT, AIX, IRIX and OSF1
give a damn about the current REJECT mode.