[NoCat] Patch: tcp_rst-01.patch

Karl Gaissmaier karl.gaissmaier at kiz.uni-ulm.de
Tue, 29 Jul 2003 00:38:14 +0200 

--------------Boundary-00=_QVARVA00HA90452T9WKL
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 8bit

Name:
	tcp_rst-01.patch

Affected Files:
	libexec/iptables/initialize.fw

Version:
	Patch against 0.82 or later

Severity:
	works better with this patch

Description:
	nonauth traffic is no longer dropped, instead it gets
	rejected. tcp traffic is rejected with tcp-rst flag
	and all other traffic is rejected with icmp-net-prohibited.
	Although FIN and RST packets are forwarded to the local
	network.

	With this patch you have no longer the problem with
	keepalive http connections after a logout and immediately
	login attempt and the users must not wait for timeouts
	if they don't start with a http connection.

	Works fine for me.

Limitations:
	This patch is only for iptables since I'm no expert
	on packet filter. Perhaps another guy can adjust this
	for pf?


-- Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany 
Email:karl.gaissmaier@kiz.uni-ulm.de Service Group Network
--------------Boundary-00=_QVARVA00HA90452T9WKL
Content-Type: text/x-diff;
  charset="us-ascii";
  name="tcp_rst-01.patch"
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="tcp_rst-01.patch"

diff -Naur NoCatAuth-nightly/libexec/iptables/initialize.fw NoCatAuth-mod/libexec/iptables/initialize.fw
--- NoCatAuth-nightly/libexec/iptables/initialize.fw	2003-03-27 04:21:04.000000000 +0100
+++ NoCatAuth-mod/libexec/iptables/initialize.fw	2003-07-26 16:41:12.000000000 +0200
@@ -217,8 +217,13 @@
     $fwd -i $ExternalDevice -s ! $AuthServiceAddr -p tcp --dport $GatewayPort -j DROP
 fi
 
+# speed up response if client is not authenticated
+$fwd -s   $LocalNetwork -p TCP -j REJECT --reject-with tcp-reset
+$fwd -s ! $LocalNetwork -d $LocalNetwork -p tcp --tcp-flags RST RST -j ACCEPT
+$fwd -s ! $LocalNetwork -d $LocalNetwork -p tcp --tcp-flags FIN FIN -j ACCEPT
+
 # Filter policy.
-$fwd -j DROP
+$fwd -j REJECT --reject-with icmp-net-prohibited
 
 #
 # Call the bandwidth throttle rules.

--------------Boundary-00=_QVARVA00HA90452T9WKL--