On Wed, 27 Apr 2005, Stian B. Barmen wrote: > > Then there were packets flagged as INVALID by conntrack, which are of > > course not matched by the states above. The reject line however matched > > them and dutifully generated the RST segment, which tore down the > > connection. > > But what is the reason for the difference in behaviour for -j REJECT vs > -j RECECT --reject-with tcp-reset? Why does one kill the connection and > not the other? A "-j RECECT --reject-with tcp-reset" generates a TCP RST, which always kills the connection. A "-j RECECT" generates an ICMP error message, which - depending on the OS which receives the ICMP packet - might terminate a TCP connection or might not. That is the very reason why "--reject-with tcp-reset" is required. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
