How to remove reject-with icmp-host-prohibited?

N

nano_e_t_42016-05-11 02:03:05

Debian

nano_e_t_4, 2016-05-11 02:03:05

Hello everyone
Maybe someone knows, maybe someone came across:
In ferm, REJECT rules are written in chains. But when applying the ferma configuration (ferm reload) in iptables, the REJECT rules are automatically added with the lines reject-with icmp-host-prohibited
Example:
in the farm:

table filter {
    chain OUTPUT {
    mod set set filter dst REJECT;
    mod set set netfilter dst REJECT;
        }
    }

in iptables after applying the config:

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set ipfilter dst reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set subnetfilter dst reject-with icmp-port-unreachable

How can I remove this autocomplete?
Thanks

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

P

Pavel Selivanov, 2016-05-11
@selivanov_pavel

For -j REJECT --reject-with is required. These can be icmp-port-unreachable (default unless otherwise specified), icmp-admin-prohibited, icmp-host-prohibited, ... , and tcp-reset (TCP only). If you want to drop the connection without sending any response, use -j DROP.

A

Alexander Karabanov, 2016-05-11
@karabanov

If you want to reset the connection without notification , type DROP instead of REJECT .
In ferm , by default, REJECT notifies the sender's ICMP packet that the port is unreachable ( icmp-port-unreachable ). You can specify a different ICMP type .
REJECT reject-with icmp-net-unreachable ;
Type " iptables -j REJECT -h " for more information.
It says here: ferm.foo-projects.org/download/2.1/ferm.html