| lh | 9ed821d | 2023-04-07 01:36:19 -0700 | [diff] [blame^] | 1 | This is used to send back an error packet in response to the matched |
| 2 | packet: otherwise it is equivalent to |
| 3 | .B DROP |
| 4 | so it is a terminating TARGET, ending rule traversal. |
| 5 | This target is only valid in the |
| 6 | .BR INPUT , |
| 7 | .B FORWARD |
| 8 | and |
| 9 | .B OUTPUT |
| 10 | chains, and user-defined chains which are only called from those |
| 11 | chains. The following option controls the nature of the error packet |
| 12 | returned: |
| 13 | .TP |
| 14 | \fB\-\-reject\-with\fP \fItype\fP |
| 15 | The type given can be |
| 16 | \fBicmp\-net\-unreachable\fP, |
| 17 | \fBicmp\-host\-unreachable\fP, |
| 18 | \fBicmp\-port\-unreachable\fP, |
| 19 | \fBicmp\-proto\-unreachable\fP, |
| 20 | \fBicmp\-net\-prohibited\fP, |
| 21 | \fBicmp\-host\-prohibited\fP or |
| 22 | \fBicmp\-admin\-prohibited\fP (*) |
| 23 | which return the appropriate ICMP error message (\fBport\-unreachable\fP is |
| 24 | the default). The option |
| 25 | \fBtcp\-reset\fP |
| 26 | can be used on rules which only match the TCP protocol: this causes a |
| 27 | TCP RST packet to be sent back. This is mainly useful for blocking |
| 28 | .I ident |
| 29 | (113/tcp) probes which frequently occur when sending mail to broken mail |
| 30 | hosts (which won't accept your mail otherwise). |
| 31 | .PP |
| 32 | (*) Using icmp\-admin\-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT |