> Hi, > > I can reject a TCP packet in nftables with: > > ip protocol tcp reject with type port-unreachable > > This shows up in a nmap scan and on Wireshark. > > However, if I try: > > ip protocol udp reject with type port-unreachable > > netfilter seems to simply drop the packet. > > Am I missing something here? Should it be possible to reject a UDP > packet? My belief is that it should because if I: > > nmap --reason -sU -p 12345 <remote Debian host with no firewall> > > I get: > > PORT STATE SERVICE REASON > 12345/udp closed italk port-unreach ttl 64 > > back, which is an ICMP port unreachable message. I just can't seem to > get nftables to do the same. > > Any advice? > > Thanks in advance, > > Gareth Williams > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html https://nmap.org/book/man-port-scanning-techniques.html If an ICMP port unreachable error (type 3, code 3) is returned, the port is closed. Other ICMP unreachable errors (type 3, codes 0, 1, 2, 9, 10, or 13) mark the port as filtered. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
