The resp Keyword
You can use the
resp keyword to actively respond to TCP connections or
UDP sessions, depending on whether you specify the TCP or UDP protocol in the
rule header.
Keyword arguments allow you to specify the packet direction and whether to use TCP reset (RST) packets or ICMP unreachable packets as active responses.
You can use any of the TCP reset or ICMP unreachable arguments to close TCP connections. You should use only ICMP unreachable arguments to close UDP sessions.
Different TCP reset arguments also allow you to target active responses to the packet source, destination, or both. All ICMP unreachable arguments target the packet source and allow you to specify whether to use an ICMP network, host, or port unreachable packet, or all three.
The following table lists the arguments you can use with the
resp keyword to specify exactly what you want the
system to do when the rule triggers.
|
Argument |
Description |
|---|---|
|
reset_source |
Directs a TCP reset packet to the endpoint that sent the packet
that triggered the rule. Alternatively, you can specify
|
|
reset_dest |
Directs a TCP reset packet to the intended destination endpoint
of the packet that triggered the rule. Alternatively, you can specify
|
|
reset_both |
Directs a TCP reset packet to both the sending and receiving
endpoints. Alternatively, you can specify
|
|
icmp_net |
Directs an ICMP network unreachable message to the sender. |
|
icmp_host |
Directs an ICMP host unreachable message to the sender. |
|
icmp_port |
Directs an ICMP port unreachable message to the sender. This argument is used to terminate UDP traffic. |
|
icmp_all |
Directs the following ICMP messages to the sender:
|
For example, to configure a rule to reset both sides of a
connection when a rule is triggered, use
reset_both as the value for the
resp keyword.
You can use a comma-separated list to specify multiple arguments as follows:
argument,argument,argument