Try as I might, I cannot find a way to do the equivalent of the venerable iptables target REJECT --with-icmp-ureachable or --with-tcp-reset for basic firewalling on a 4020. This is handy for bouncing internal clients quickly, whereas DROP is better to make things slower for adversaries who are scanning our nets from outside. For example. If I want to prevent smtp/ntp/dns attempts for our internal clients, thus forcing them through the relevant internal services, I don't expect them to have to wait for a timeout, when a simple reject rule can speed things along for them. It seems the two targets available for basic layer 3 firewalling are simply allow, or drop. Why no reject? I hope someone knows how. If this is the wrong forum I apologise, but I expect this is a missing feature. I feel it's quite a basic essential.
... View more