Switch IPv4 rejects from host-prohibit to admin
When generically rejecting connections, we'd prefer to signal to users clearly that it's the firewall rejecting them. For IPv4 we previously emitted generic ICMP "no route to host" responses, but this tends to make it look incorrectly like a routing failure. Switch to flagging our error responses as "administratively prohibited" which is more accurate and less confusing. We're also already using icmp6-adm-prohibited for the v6 rules, so this makes our v4 ruleset more consistent. Note that the iptables-extensions(8) manpage indicates "Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT" but all our kernels should have support for it these days so this isn't a concern. Change-Id: Id423f3ec03d0c3c4e40ddef34c38f97167b173f6
This commit is contained in:
parent
f1bcb6a586
commit
7308220484
@ -34,5 +34,5 @@
|
|||||||
{% endif -%}
|
{% endif -%}
|
||||||
{% endfor -%}
|
{% endfor -%}
|
||||||
{% endfor -%}
|
{% endfor -%}
|
||||||
-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited
|
-A openstack-INPUT -j REJECT --reject-with icmp-admin-prohibited
|
||||||
COMMIT
|
COMMIT
|
||||||
|
@ -100,7 +100,7 @@ def verify_iptables(host):
|
|||||||
'-A openstack-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT',
|
'-A openstack-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT',
|
||||||
'-A openstack-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT',
|
'-A openstack-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT',
|
||||||
'-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT',
|
'-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT',
|
||||||
'-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited'
|
'-A openstack-INPUT -j REJECT --reject-with icmp-admin-prohibited'
|
||||||
]
|
]
|
||||||
for rule in needed_rules:
|
for rule in needed_rules:
|
||||||
assert rule in rules
|
assert rule in rules
|
||||||
|
Loading…
Reference in New Issue
Block a user