add reject-with tcp-reset function
The "reject" action in the paket filter rules sends an ICMP - Destination Unreachable to the rejected Host. It seems that most applications ignore this ICMP. Therefore other Firewall Systems implemented the "reject-with tcp-reset" function. This way a tcp session will be ended, and hopefully the Applications will not have to wait that long until it realizes that the connection is not permitted.
This is needed because many computers and other devices suffer from network hangs because they try to connect to forbidden hosts.
iptables -A USR_FORWARD -j REJECT --reject-with tcp-reset --source ***.***.***.***/XX -d 0.0.0.0/0 -p tcp
to create a reject rule to act as default reject rule with tcp reset on our utm.
the hangup of one application which often suffers from such behaviour is gone!!!
but as we know, making changes with iptables on the shell are only temporarly and cannot get made permanently...
so please - can you implement the --reject-with tcp-reset parameter into the webadmin? Shouldn't make a whole lot of work believe ;-)
To my understanding, a syn packet, which applications send to initiate a connection to the internet, can get answered by a rst packet, which tells the connection to close. either a tcp-rst or timeout can end a tcp-connection. answering a tcp syn packet with icmp port not reachable might be like answering in arabic when the question was asked in english - probably wont get understood ;-) To my understanding, iptables, the utm uses, is capable of rcp-rst.
We have made similiar observations in our company environment where workstations have no direct internet access. applications are trying to establish a tcp connection to the internet which get rejected by the firewall, but the applications keep trying to connect. Some applications come into a "hangup-state" and only become controllable again after a long time when finally some sort of timeout happens. This is especially problematic for applications, which internet access cannot get deactivated within the application itself because there is no settings which could be set/deactivated.