| 1 |
Hello |
| 2 |
|
| 3 |
On Sat, Sep 13, 2008 at 11:36:13PM +0200, pk wrote: |
| 4 |
> I am using shorewall on my local computer (the same I'm surfing the web |
| 5 |
> with). My skills with iptables are not really good and my understanding of |
| 6 |
> networking also has some holes in it... However, I'm trying to prevent |
| 7 |
> firefox from accessing a third party site; I'm logging onto a site with |
| 8 |
> firefox. With netstat I can see that besides the usual ip address belonging |
| 9 |
> to the site another ip-address (not belonging to the original site) shows |
| 10 |
> up. While trying to block the additional ip address with both "iptables -A |
| 11 |
> INPUT -s xxxx -j DROP" and "iptables -A OUTPUT -d xxxx -j DROP" it still |
| 12 |
> sends a SYN request to this site. This makes firefox just sit there waiting |
| 13 |
> for a time-out. How can I prevent firefox from accessing the other site, |
| 14 |
> while still accessing the original one? |
| 15 |
|
| 16 |
If I let aside it is quite odd it would have accessed two sites at once |
| 17 |
(either a virus/cracked computer or one is just closed, or maybe just an |
| 18 |
external image), using DROP is plain wrong. You should REJECT (or it is |
| 19 |
reject, I'm not sure about the case) the packets (at output in this |
| 20 |
case). |
| 21 |
|
| 22 |
DROP causes the packet to get blackholed without a trace. It sometimes |
| 23 |
happens to packets on internet so it is usual to try again and again |
| 24 |
until it succeeds or timeout (usually in tens of seconds) is reached. |
| 25 |
|
| 26 |
If you reject it (either with port or destination unreachable or even |
| 27 |
with "administratively filtered"), the other side knows it has no reason |
| 28 |
to try again and reports failure right away and saves the traffic and |
| 29 |
resources by not trying. |
| 30 |
|
| 31 |
Some people say drop does not show you exist but reject does. That is |
| 32 |
wrong too, destination unreachable means "There is no such machine with |
| 33 |
this IP", so it should hide the whole machine better than drop (if I |
| 34 |
send packets and no errors nor responses come, I suspect a firewall as |
| 35 |
well as malfunction). |
| 36 |
|
| 37 |
Does this help? |
| 38 |
|
| 39 |
Have a nice help |
| 40 |
|
| 41 |
-- |
| 42 |
BOFH Excuse #452: |
| 43 |
Somebody ran the operating system through a spelling checker. |
| 44 |
|
| 45 |
Michal 'vorner' Vaner |
Archives