Reject select outgoing traffic instead of silently dropping it on Linux

1 files changed, 15 insertions, 3 deletions

diff --git a/talpid-core/src/firewall/linux.rs b/talpid-core/src/firewall/linux.rs
index abe542d4b3..c1cc847d60 100644
--- a/talpid-core/src/firewall/linux.rs
+++ b/talpid-core/src/firewall/linux.rs
@@ -5,7 +5,7 @@ use lazy_static::lazy_static;
 use libc;
 use nftnl::{
     self,
-    expr::{self, Payload, Verdict},
+    expr::{self, IcmpCode, Payload, RejectionType, Verdict},
     nft_expr, table, Batch, Chain, FinalizedBatch, ProtoFamily, Rule, Table,
 };
 use std::{
@@ -480,6 +480,15 @@ impl<'a> PolicyBatch<'a> {
         if allow_lan {
             self.add_allow_lan_rules();
         }
+
+        // Reject any remaining outgoing traffic
+        let mut reject_rule = Rule::new(&self.out_chain);
+        add_verdict(
+            &mut reject_rule,
+            &Verdict::Reject(RejectionType::Icmp(IcmpCode::PortUnreach)),
+        );
+        self.batch.add(&reject_rule, nftnl::MsgType::Add);
+
         Ok(())
     }
 
@@ -567,12 +576,15 @@ impl<'a> PolicyBatch<'a> {
     fn add_drop_dns_rule(&mut self) {
         let mut block_udp_rule = Rule::new(&self.out_chain);
         check_port(&mut block_udp_rule, TransportProtocol::Udp, End::Dst, 53);
-        add_verdict(&mut block_udp_rule, &Verdict::Drop);
+        add_verdict(
+            &mut block_udp_rule,
+            &Verdict::Reject(RejectionType::Icmp(IcmpCode::PortUnreach)),
+        );
         self.batch.add(&block_udp_rule, nftnl::MsgType::Add);
 
         let mut block_tcp_rule = Rule::new(&self.out_chain);
         check_port(&mut block_tcp_rule, TransportProtocol::Tcp, End::Dst, 53);
-        add_verdict(&mut block_tcp_rule, &Verdict::Drop);
+        add_verdict(&mut block_tcp_rule, &Verdict::Reject(RejectionType::TcpRst));
         self.batch.add(&block_tcp_rule, nftnl::MsgType::Add);
     }