On Mon, Sep 20, 2021 at 11:45:06AM +0200, Bastian Blank wrote:
On Mon, Sep 20, 2021 at 02:11:06AM +0000, Paul Wise wrote:
Normally one would get "Connection refused" when connecting to a port
that isn't open,
"Connection refused" is generated by TCP reset packets.
That, or ICMP type 1 code 3 packets ("destination port unreachable). See
below.
but at this site one gets "No route to host", as if
there is no network path to reach the host,
"No route to host" is generated by an ICMP error.
Specifically, by ICMP type 1 code 1 ("destination host unreachable"). It
has become fashionable to use that code to reject connection attempts,
but personally I find that to be very confusing if it's used for a
single port rather than a whole host or network.
It's possible to use the correct ICMP code in firewalls, and then
connection error messages become far less confusing:
root@pc181009:~# telnet -4 localhost 3000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
root@pc181009:~# iptables -A INPUT -p tcp --dport 3000 -j REJECT --reject-with icmp-port-unreachable
root@pc181009:~# telnet -4 localhost 3000
Trying 127.0.0.1...
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
root@pc181009:~# iptables -D INPUT -p tcp --dport 3000 -j REJECT --reject-with icmp-port-unreachable
root@pc181009:~# iptables -A INPUT -p tcp --dport 3000 -j REJECT --reject-with icmp-host-unreachable
root@pc181009:~# telnet -4 localhost 3000
Trying 127.0.0.1...
Trying 127.0.0.1...
telnet: Unable to connect to remote host: No route to host
but you do you of course ;-)
--
w@uter.{be,co.za}
wouter@{grep.be,fosdem.org,debian.org}
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)