[ previous ] [ next ] [ threads ]
 
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] 1.1 is out!
 Date:  Mon, 23 Aug 2004 21:30:23 -0700 (PDT) 
On Sun, 22 Aug 2004, Manuel Kasper wrote:
> On 22.08.2004 21:20 +0200, Frederick Page wrote:
> 
> > I may have two small issues here:
> > 
> > 1. the firewall rules appearantly ALWAYS translate "reject" to
> > "block". The color on the php-page is always red, ipfw always shows
> > "block".
> 
> This happens when you select neither "TCP" nor "UDP" as the protocol
> and is explained on the rule edit page.

However, there's no reason why it needs to be that way.  For any protocol
other than TCP, UDP, or ICMP, the corresponding thing would be to use
"unreach protocol" instead of "unreach port".  For ICMP, I don't think
"active rejects" make any sense, since they just substitute one ICMP
response for another.  In that one case, I'd treat "reject" as "block".

It gets harder with wildcarded protocols like "TCP/UDP" or "any".  
Ideally, one would specify the most detailed reject wanted, and IPFilter
would automatically downgrade it appropriately for the protocol of the
packet in question.  In practice, I don't think it's smart enough for
that, so the only way to get the right effect would be with multiple
rules.

					Fred Wright