which reject code fits the most when rejecting non-IPsec packets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi.
I've recently set up IPsec and added some rules to prevent any incoming/outgoing packets from/to the respective peers, about like that: 
#########################################################
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT	--in-interface lo	-j ACCEPT
-A OUTPUT	--out-interface lo	-j ACCEPT
-A INPUT	-m state  --state UNTRACKED	-j DROP
-A FORWARD	-m state  --state UNTRACKED	-j DROP
-A OUTPUT	-m state  --state UNTRACKED	-j DROP
-A INPUT	-m state  --state INVALID	-j DROP
-A FORWARD	-m state  --state INVALID	-j DROP
-A OUTPUT	-m state  --state INVALID	-j DROP
-A INPUT --protocol udp -m multiport --destination-ports isakmp,isakmp-nat_espinudp -j ACCEPT -A OUTPUT --protocol udp -m multiport --destination-ports isakmp,isakmp-nat_espinudp -j ACCEPT 
-N ipsec-only-in
-N ipsec-only-out
-A INPUT	--source <peeraddresses>	-j ipsec-only-in
-A OUTPUT	--destination <peeraddresses>	-j ipsec-only-out

-A INPUT	-m state  --state ESTABLISHED,RELATED	-j ACCEPT
-A INPUT	--protocol icmp  -m icmp	-j ACCEPT
-A ipsec-only-in -m policy --strict --dir in --pol ipsec --mode tunnel --proto esp -j RETURN -A ipsec-only-out -m policy --strict --dir out --pol ipsec --mode tunnel --proto esp -j RETURN -A ipsec-only-in ! --protocol esp -j REJECT --reject-with icmp-admin-prohibited -A ipsec-only-out ! --protocol esp -j REJECT --reject-with icmp-admin-prohibited 

#normal rules like:
-A INPUT --destination eth0.localhost --protocol udp -m udp --destination-port domain -j ACCEPT 

#final rule
-A INPUT	-j REJECT  --reject-with icmp-port-unreachable

COMMIT
#########################################################
As you can see, I use --reject-with icmp-admin-prohibited to REJECT such packages which have been blocked because they were not "IPsec'ed"... Is this the most appropriate ICMP error? I've looked up several RFCs, and to me also those sound usable: 
icmp-host-unreachable
icmp-host-prohibited
or even
port-unreachable
there is however no explicit documentation in the RFC (ok at least I haven't found one) when to exactly use which. 

Thanks,
Chris.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux