1 |
Hello |
2 |
|
3 |
On Sat, Sep 13, 2008 at 11:36:13PM +0200, pk wrote: |
4 |
> I am using shorewall on my local computer (the same I'm surfing the web |
5 |
> with). My skills with iptables are not really good and my understanding of |
6 |
> networking also has some holes in it... However, I'm trying to prevent |
7 |
> firefox from accessing a third party site; I'm logging onto a site with |
8 |
> firefox. With netstat I can see that besides the usual ip address belonging |
9 |
> to the site another ip-address (not belonging to the original site) shows |
10 |
> up. While trying to block the additional ip address with both "iptables -A |
11 |
> INPUT -s xxxx -j DROP" and "iptables -A OUTPUT -d xxxx -j DROP" it still |
12 |
> sends a SYN request to this site. This makes firefox just sit there waiting |
13 |
> for a time-out. How can I prevent firefox from accessing the other site, |
14 |
> while still accessing the original one? |
15 |
|
16 |
If I let aside it is quite odd it would have accessed two sites at once |
17 |
(either a virus/cracked computer or one is just closed, or maybe just an |
18 |
external image), using DROP is plain wrong. You should REJECT (or it is |
19 |
reject, I'm not sure about the case) the packets (at output in this |
20 |
case). |
21 |
|
22 |
DROP causes the packet to get blackholed without a trace. It sometimes |
23 |
happens to packets on internet so it is usual to try again and again |
24 |
until it succeeds or timeout (usually in tens of seconds) is reached. |
25 |
|
26 |
If you reject it (either with port or destination unreachable or even |
27 |
with "administratively filtered"), the other side knows it has no reason |
28 |
to try again and reports failure right away and saves the traffic and |
29 |
resources by not trying. |
30 |
|
31 |
Some people say drop does not show you exist but reject does. That is |
32 |
wrong too, destination unreachable means "There is no such machine with |
33 |
this IP", so it should hide the whole machine better than drop (if I |
34 |
send packets and no errors nor responses come, I suspect a firewall as |
35 |
well as malfunction). |
36 |
|
37 |
Does this help? |
38 |
|
39 |
Have a nice help |
40 |
|
41 |
-- |
42 |
BOFH Excuse #452: |
43 |
Somebody ran the operating system through a spelling checker. |
44 |
|
45 |
Michal 'vorner' Vaner |