Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 1 | This is used to send back an error packet in response to the matched |
| 2 | packet: otherwise it is equivalent to |
| 3 | .B DROP |
| 4 | so it is a terminating TARGET, ending rule traversal. |
| 5 | This target is only valid in the |
| 6 | .BR INPUT , |
| 7 | .B FORWARD |
| 8 | and |
| 9 | .B OUTPUT |
| 10 | chains, and user-defined chains which are only called from those |
| 11 | chains. The following option controls the nature of the error packet |
| 12 | returned: |
| 13 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 14 | \fB\-\-reject\-with\fP \fItype\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 15 | The type given can be |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 16 | \fBicmp\-net\-unreachable\fP, |
| 17 | \fBicmp\-host\-unreachable\fP, |
| 18 | \fBicmp\-port\-unreachable\fP, |
| 19 | \fBicmp\-proto\-unreachable\fP, |
| 20 | \fBicmp\-net\-prohibited\fP, |
| 21 | \fBicmp\-host\-prohibited\fP or |
| 22 | \fBicmp\-admin\-prohibited\fP (*) |
| 23 | which return the appropriate ICMP error message (\fBport\-unreachable\fP is |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 24 | the default). The option |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 25 | \fBtcp\-reset\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 26 | can be used on rules which only match the TCP protocol: this causes a |
| 27 | TCP RST packet to be sent back. This is mainly useful for blocking |
| 28 | .I ident |
| 29 | (113/tcp) probes which frequently occur when sending mail to broken mail |
| 30 | hosts (which won't accept your mail otherwise). |
Jan Engelhardt | aeafdb8 | 2008-08-12 11:42:04 +0200 | [diff] [blame] | 31 | .PP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 32 | (*) Using icmp\-admin\-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT |