Date: Fri, 21 Feb 1997 09:14:54 +1100 (EST) From: "Daniel O'Callaghan" <danny@panda.hilink.com.au> To: David Nugent <davidn@labs.usn.blaze.net.au> Cc: freebsd-hackers@freebsd.org Subject: Re: "connection refused" Message-ID: <Pine.BSF.3.91.970221090816.8268Q-100000@panda.hilink.com.au> In-Reply-To: <19970221002216.09741@usn.blaze.net.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 21 Feb 1997, David Nugent wrote: > On Feb 02, 1997 at 11:29:25PM, Darren Reed wrote: > > > I'm currently working on a network server that needs to use local > > > creditials on a remote connection, and if that fails, to issue a > > > "connection refused". > > > > You can't do this (using sockets). > > > I don't quite understand how you want to use the credentials...the > > description seems confusing. Can you put it in TCP/IP terms ? :) > > Sorry, just the remote address, as determined by accept(). I don't > want or need network probes finding the server, which is why I'd > like an attempted connection from anyone but specific ip addresses > to get "connection refused", as though there was nothing there. > The protocol in question will do challenge/key and encryption, but > this is just to prevent probes from seeing it as a possible target > in the first place. I think the simplest thing would be to install Darren's ipfilter and use kernel-based packet filtering on the port you are protecting. You can then define rules which send a TCP RST back to the connection originator if you don't like them. The userland process never gets to see the connection attempt. IPFIREWALL has a 'reject' keyword, but it sends an ICMP (port?) unreachable rather than an RST. It would be nice if IPFIREWALL would send RSTs, but I have not got around to hacking that in yet. (Any takers?) Most OSs report the ICMP message as ECONNREFUSED, but other FreeBSD boxes don't. Danny
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.970221090816.8268Q-100000>