5
telnet 8.8.8.8 8888

displays

Trying...

I was expecting, that this directly is refused.

Background: When we have a NGINX reverse proxy server, it would be great, that it detects directly when the backend is not there.

Jeff Schaller
  • 66,199
  • 35
  • 114
  • 250
Alex
  • 426
  • 1
  • 4
  • 12

2 Answers2

15

It depends on what the remote end sends back.

For a port where no process is listening, the remote sends a packet with the reset (RST) bit set, which results in the "Connection refused" error on the client. Another possibility is an ICMP "Port unreachable" message, which e.g. Linux's iptables -j REJECT sends by default. That would also result in "Connection refused".

On the other hand, if the remote sends back nothing, then the client can't know what the issue is, and will probably retry and/or wait perhaps a significant amount of time.

An example with iptables on Linux:

# iptables -I INPUT -p tcp --dport 3001 -j REJECT
# iptables -I INPUT -p tcp --dport 3002 -j DROP

$ nc -v 127.0.0.1 3000
nc: connect to 127.0.0.1 port 3000 (tcp) failed: Connection refused

$ nc -v 127.0.0.1 3001
nc: connect to 127.0.0.1 port 3001 (tcp) failed: Connection refused

$ nc -v 127.0.0.1 3002
(waits...)

So, to find out that the backend is not alive, you need to make sure there's someone in there to send an error back. That, of course may be hard to do if the whole host goes down, so you may just have to arrange for a shorter timeout.

ilkkachu
  • 133,243
  • 15
  • 236
  • 397
  • Note that many misguided network admins block ICMP packets on their networks. If there's such a network between you and the server, ICMP "Port unreachable" packets may not get through, leading to a timeout. – James_pic Oct 31 '19 at 12:12
8

The TCP stack decides how to respond to a connection, based on a set of rules (it could be at the firewall level). You can REJECT the connection package (SYN), but you can also DROP it. Dropping it makes sense because of port scanning, for example.

Eduardo Trápani
  • 12,032
  • 1
  • 18
  • 35
  • But is this normal behavior ? Actually the google DNS was only an example. What if I want my own server to behave properly and reject the connections? – Alex Oct 30 '19 at 15:33
  • The behaviour depends on the administrator and the default security policies of the network. I don't know if there is a "normal behaviour" in that respect. You can play with that yourself using iptables in your system. You could even reject ports where there are no service. – Eduardo Trápani Oct 30 '19 at 15:43
  • 3
    @Alex "What if I want my own server to behave properly and reject the connections?" Often, the desired way for a server to handle unwanted TCP connections is to drop this traffic, not reject it. Dropping is usually more secure than rejecting. But if this is not public facing, then you can set the default policy on your firewall to reject. – 111--- Oct 30 '19 at 17:29
  • 1
    @111--- in the case of a remote proxy, the proxied server is often not reachable from the internet, so it does not make sense to hide its existence by dropping SYN packets. – Hans-Martin Mosner Oct 31 '19 at 06:49