From c2794131b445ebccba184066af6d3fb2f38d1f38 Mon Sep 17 00:00:00 2001 From: Henrik Nordstrom Date: Thu, 22 Jan 2004 15:04:24 +0000 Subject: split manpages into per-extension manpage snippet (Henrik Nordstrom) add lots of missing manpage snippets (Harald Welte) --- extensions/libipt_REJECT.man | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 extensions/libipt_REJECT.man (limited to 'extensions/libipt_REJECT.man') diff --git a/extensions/libipt_REJECT.man b/extensions/libipt_REJECT.man new file mode 100644 index 00000000..174bf7b3 --- /dev/null +++ b/extensions/libipt_REJECT.man @@ -0,0 +1,34 @@ +This is used to send back an error packet in response to the matched +packet: otherwise it is equivalent to +.B DROP +so it is a terminating TARGET, ending rule traversal. +This target is only valid in the +.BR INPUT , +.B FORWARD +and +.B OUTPUT +chains, and user-defined chains which are only called from those +chains. The following option controls the nature of the error packet +returned: +.TP +.BI "--reject-with " "type" +The type given can be +.nf +.B " icmp-net-unreachable" +.B " icmp-host-unreachable" +.B " icmp-port-unreachable" +.B " icmp-proto-unreachable" +.B " icmp-net-prohibited" +.B " icmp-host-prohibited or" +.B " icmp-admin-prohibited (*)" +.fi +which return the appropriate ICMP error message (\fBport-unreachable\fP is +the default). The option +.B tcp-reset +can be used on rules which only match the TCP protocol: this causes a +TCP RST packet to be sent back. This is mainly useful for blocking +.I ident +(113/tcp) probes which frequently occur when sending mail to broken mail +hosts (which won't accept your mail otherwise). +.TP +(*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT -- cgit v1.2.3