Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame^] | 1 | This is used to send back an error packet in response to the matched |
| 2 | packet: otherwise it is equivalent to |
| 3 | .B DROP |
| 4 | so it is a terminating TARGET, ending rule traversal. |
| 5 | This target is only valid in the |
| 6 | .BR INPUT , |
| 7 | .B FORWARD |
| 8 | and |
| 9 | .B OUTPUT |
| 10 | chains, and user-defined chains which are only called from those |
| 11 | chains. The following option controls the nature of the error packet |
| 12 | returned: |
| 13 | .TP |
| 14 | .BI "--reject-with " "type" |
| 15 | The type given can be |
| 16 | .nf |
| 17 | .B " icmp6-no-route" |
| 18 | .B " no-route" |
| 19 | .B " icmp6-adm-prohibited" |
| 20 | .B " adm-prohibited" |
| 21 | .B " icmp6-addr-unreachable" |
| 22 | .B " addr-unreach" |
| 23 | .B " icmp6-port-unreachable" |
| 24 | .B " port-unreach" |
| 25 | .fi |
| 26 | which return the appropriate IPv6-ICMP error message (\fBport-unreach\fP is |
| 27 | the default). Finally, the option |
| 28 | .B tcp-reset |
| 29 | can be used on rules which only match the TCP protocol: this causes a |
| 30 | TCP RST packet to be sent back. This is mainly useful for blocking |
| 31 | .I ident |
| 32 | (113/tcp) probes which frequently occur when sending mail to broken mail |
| 33 | hosts (which won't accept your mail otherwise). |
| 34 | |