Why is port 43 the only one that rejects instead of blocks?

F

flami

New Member
Apr 30, 2020
3
0
1
40
Hi,

I ran good ole nmap against a container that has every port set to drop on my cluser, but it seems there is port 43 that rejects instead

if you look at the firewall default rules https://git.proxmox.com/?p=pve-fire...2161fca975cc93cd8ec2ce3a561161a4;hb=HEAD#l152

'PVEFW-Drop' => [
538 # same as shorewall 'Drop', which is equal to DROP,
539 # but REJECT/DROP some packages to reduce logging,
540 # and ACCEPT critical ICMP types
541 { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth'
....
559 ],
560 'PVEFW-Reject' => [
561 # same as shorewall 'Reject', which is equal to Reject,
562 # but REJECT/DROP some packages to reduce logging,
563 # and ACCEPT critical ICMP types
564 { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth'

It seems that even under PVEFW-Drop it Rejects port 43 and does not Drop. Is that intentional? What does it achieve?
 
# same as shorewall 'Drop', which is equal to DROP,
# but REJECT/DROP some packages to reduce logging,
# and ACCEPT critical ICMP types
Click to expand...
This might say it already. Port 43 is a whois query.
 
Yes I see that it is a port for whois queries, I'm just wondering why it is set do Reject and not Drop when all the other ports are set to Drop in PVEFW-Drop . Does the whois protocol react badly if it is set to Drop?
 
I'd guess it is more about the similarity with shorewall and that there might be more logging going on. Rejecting instead of dropping is probably more RFC conform.
https://tools.ietf.org/html/rfc792
 
Well if you want to send the correct ICMP replies, why not use policy_in: REJECT. I just find it odd that when setting the default action to DROP, that there is that one tcp Port that for some reason does a REJECT. It's not like I'm a registrar and I have anything to do with whois. Plus the comment says something about "auth" which is even more confusing. What is it trying to tell me?

From what I'm gathering from that comment, the main settings to be like shorewall are a few lines above the ones I copied and the ones I copied are some extra proxmox goodies to reduce logging.

I googled a bunch and I couldn't find anything about how you should reject the whois port instead of drop.
Are you certain that this rule shouldn't say DROP instead of PVEFW-reject? I tried it, works perfectly fine if you do that.
 
Not quite sure what the rational was behind it back then. You can add a report on our bug tracker, so we can have look at it.
https://bugzilla.proxmox.com/
 
You must log in or register to reply here.
Top Bottom
Back