From owner-freebsd-hackers Thu Feb 20 16:59:46 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id QAA21567 for hackers-outgoing; Thu, 20 Feb 1997 16:59:46 -0800 (PST) Received: from who.cdrom.com (who.cdrom.com [204.216.27.3]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA21552 for ; Thu, 20 Feb 1997 16:59:43 -0800 (PST) Received: from panda.hilink.com.au (panda.hilink.com.au [203.2.144.5]) by who.cdrom.com (8.7.5/8.6.11) with ESMTP id OAA25458 for ; Thu, 20 Feb 1997 14:10:07 -0800 (PST) Received: (from danny@localhost) by panda.hilink.com.au (8.7.6/8.7.3) id JAA11776; Fri, 21 Feb 1997 09:14:54 +1100 (EST) Date: Fri, 21 Feb 1997 09:14:54 +1100 (EST) From: "Daniel O'Callaghan" To: David Nugent cc: freebsd-hackers@freebsd.org Subject: Re: "connection refused" In-Reply-To: <19970221002216.09741@usn.blaze.net.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Fri, 21 Feb 1997, David Nugent wrote: > On Feb 02, 1997 at 11:29:25PM, Darren Reed wrote: > > > I'm currently working on a network server that needs to use local > > > creditials on a remote connection, and if that fails, to issue a > > > "connection refused". > > > > You can't do this (using sockets). > > > I don't quite understand how you want to use the credentials...the > > description seems confusing. Can you put it in TCP/IP terms ? :) > > Sorry, just the remote address, as determined by accept(). I don't > want or need network probes finding the server, which is why I'd > like an attempted connection from anyone but specific ip addresses > to get "connection refused", as though there was nothing there. > The protocol in question will do challenge/key and encryption, but > this is just to prevent probes from seeing it as a possible target > in the first place. I think the simplest thing would be to install Darren's ipfilter and use kernel-based packet filtering on the port you are protecting. You can then define rules which send a TCP RST back to the connection originator if you don't like them. The userland process never gets to see the connection attempt. IPFIREWALL has a 'reject' keyword, but it sends an ICMP (port?) unreachable rather than an RST. It would be nice if IPFIREWALL would send RSTs, but I have not got around to hacking that in yet. (Any takers?) Most OSs report the ICMP message as ECONNREFUSED, but other FreeBSD boxes don't. Danny