Incomprehensible behavior

Incomprehensible behavior

[toml]

(I'm so sorry... my previous post is in failed format... please ignore)

Hello @ all

I'm still struggling anymore with the new syntax at
ApplicationLayerGateway/FTP and testing with smallest steps. In doing
so I have now come across the following effect. I have 2 test-rules
here, both of which i expected to completely block any outgoing
traffic.

But as you can see from the second example in the counter, only here is
blocked. The first example has no effect at all, everything works as if
it was not blocked.

# nft list ruleset
table ip filter {
 chain output {
 type filter hook output priority 0; policy drop;
 meta pkttype { 0, 1, 2 } accept
 counter packets 0 bytes 0 reject with icmp 13
 }
}

# nft list ruleset
table ip filter {
 chain output {
 type filter hook output priority 0; policy drop;
 meta pkttype { 1, 2 } accept
 counter packets 1858 bytes 165434 reject with icmp 13
 }
}

Is this a desired behavior, when a unicast-accept virtually neutralizes
the complete filter? How do I deal with this problem?

Best Regards
Thomas

Re: Incomprehensible behavior

[Florian Westphal]

toml <toml@thlu.de> wrote:
> (I'm so sorry... my previous post is in failed format... please ignore)
> 
> Hello @ all
> 
> I'm still struggling anymore with the new syntax at
> ApplicationLayerGateway/FTP and testing with smallest steps. In doing
> so I have now come across the following effect. I have 2 test-rules
> here, both of which i expected to completely block any outgoing
> traffic.
> 
> But as you can see from the second example in the counter, only here is
> blocked. The first example has no effect at all, everything works as if
> it was not blocked.
> 
> # nft list ruleset
> table ip filter {
>  chain output {
>  type filter hook output priority 0; policy drop;
>  meta pkttype { 0, 1, 2 } accep

What do you expect that line to do?

This accepts all packets, so all trailing rules
are bypassed and chain policy has no effect.

Re: Incomprehensible behavior

[toml]

Am Donnerstag, dem 03.08.2023 um 17:04 +0200 schrieb Florian Westphal:
> 
> What do you expect that line to do?
> 
> This accepts all packets, so all trailing rules
> are bypassed and chain policy has no effect.

Yes, it is so.

Obviously, I completely misunderstood. I had always assumed that
unicast, multicast and broadcast were something like a lan-technical
messaging system, such as is needed (as example) for router
advertisements or icmp. I assumed, that they must not be blocked for
error-free LAN operations, a bit like ICMP-V6. 

It is really complicated to find the right way. 

Thomas

Incomprehensible behavior

[toml]

Hello @ all

I'm still struggling anymore with the new syntax at ApplicationLayerGateway/FTP and testing with smallest steps. In doing so I have now come across the following effect. I have 2 test-rules here, both of which i expected to completely block any outgoing traffic.

But as you can see from the second example in the counter, only here is blocked. The first example has no effect at all, everything works as if it was not blocked.

# nft list ruleset
table ip filter {
    chain output {
        type filter hook output priority 0; policy drop;
        meta pkttype { 0, 1, 2 } accept
        counter packets 0 bytes 0 reject with icmp 13
    }
}

# nft list ruleset
table ip filter {
    chain output {
        type filter hook output priority 0; policy drop;
        meta pkttype { 1, 2 } accept
        counter packets 1858 bytes 165434 reject with icmp 13
    }
}

Is this a desired behavior, when a unicast-accept virtually neutralizes the complete filter? How do I deal with this problem?

Best Regards
Thomas