How much do teaching responsibilities hinder a researcher at a small university?
The REJECT
target rejects the packet. If you do not specify which ICMP message to reject with, the server by default will send back ICMP port unreachable (type 3, code 3).
--reject-with
modifies this behaviour to send a specific ICMP message back to the source host. You can find information about --reject-with
and the available rejection messages in man iptables
:
REJECT
This is used to send back an error packet in response to the matched packet: otherwise it is equivalent to DROP so it is a terminating TARGET, ending rule traversal. This target is only valid in the INPUT, FORWARD and OUTPUT chains, and user-defined chains which are only called from those chains. The following option controls the nature of the error packet returned:
--reject-with type
The type given can be:
- icmp-net-unreachable
- icmp-host-unreachable
- icmp-port-unreachable
- icmp-proto-unreachable
- icmp-net-prohibited
- icmp-host-prohibited or
- icmp-admin-prohibited (*)
which return the appropriate ICMP error message (port-unreachable is the default). The option tcp-reset can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back. This is mainly useful for blocking ident (113/tcp) probes which frequently occur when sending mail to broken mail hosts (which won't accept your mail otherwise).
(*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT
- How does a JTI prevent a JWT from being replayed?
- How often should the JTI field be regenerated? On every request? or only when a new token is generated?
I believe the answers to these two questions will depend on the application itself.
For example, if it has been programmed to only receive messages that have a unique JTI, then a replay of the same JTI can be ignored by the application.
The JTI would be regenerated in this case when it is valid for the same message to be repeated.
Great question. I think the RFC text is a little confusing.
If the JWT is intercepted in some API call, this token can of course be used again and again (unless the application creates one-time-use JWT's, but that kind of defeats the purpose of JWTs). This is not the kind of "replay attack" that JTIs protect against.
Cryptographic nonces "can be used just once", so it's only a nonce in the sense that it shouldn't be used in two separate JWT synthetizations. They more like TLS certificate serial numbers.
I would say that JTIs makes it easier to do 2 things to an API developer:
- Store other information server-side related to a particular JWT: who requested it, from where, how many times has it been used, etc.
- Create a server-side JWT revocation list. This can certainly make an application more secure if there are mechanisms to recognize active abuse.