Firewall: why no route to host?

I’ve LAN with two nodes. One runs fedora and acts as a server, and has some default firewall configuration bundled. Second runs arch (but that shouldn’t make any difference).

On fedora system, I have a TCP server on port 25025. Unless I have configured firewall to allow that port incoming connections, Java software on arch host throws noroutetohost exception, while in this situation I’d expect connection refused.

Why does it happen this way?

Asked By: Mikhail Krutov


There are generally two options for blocking traffic when it comes to iptables/firewalld security: DROP the packet or REJECT it.

REJECT results in an icmp-host-prohibited ICMP packet being sent back to the client informing them that the end host refused the connection. This is usually described as “Connection Refused” by your application.

DROP results in the end host not sending anything back in response to the TCP connection request. Since nothing is sent back, this appears to the client as being identical to the packets just being lost or dropped by some router. Since clients will usually make multiple attempts to establish a connection it assumes there’s something wrong with the routing on the network (which is technically true in this case) and reports back with the problem being with routing the packet over the network.

So it would appear that your firewall is just dropping packets while not opting to send the ICMP packet informing the other node.

Answered By: Bratchley
Categories: Answers Tags: ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.