Re: iptables / reject vs drop
From: Bruno Wolff III (bruno_at_cerberus.csd.uwm.edu)
Date: 10/27/04
- Next message: Andrew Schulman: "Re: iptables / reject vs drop"
- Previous message: Fritz Bayer: "Re: iptables / reject vs drop"
- In reply to: Fritz Bayer: "Re: iptables / reject vs drop"
- Next in thread: Andrew Schulman: "Re: iptables / reject vs drop"
- Reply: Andrew Schulman: "Re: iptables / reject vs drop"
- Reply: Tim Haynes: "Re: iptables / reject vs drop"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 27 Oct 2004 15:51:28 GMT
In article <a9c0aa9e.0410270622.158c5cf5@posting.google.com>, Fritz Bayer wrote:
>
> Well, what I have read is that both close the ports. The only
> difference is that REJECT sends an error packet back.
>
> That's why I used DROP because it does not notify the sender. This
> also strangely works on my local lan.
It is usually a good idea to send back TCP RST packets for the AUTH port.
Not doing so will slow down mail transfers from sites that check to see
if an ident server is running. Instead of failing immediately, the connection
attempt will need to timeout.
The security advantage of not sending back TCP RST packets is pretty low.
It isn't worth screwing up any of your services by not sending them.
- Next message: Andrew Schulman: "Re: iptables / reject vs drop"
- Previous message: Fritz Bayer: "Re: iptables / reject vs drop"
- In reply to: Fritz Bayer: "Re: iptables / reject vs drop"
- Next in thread: Andrew Schulman: "Re: iptables / reject vs drop"
- Reply: Andrew Schulman: "Re: iptables / reject vs drop"
- Reply: Tim Haynes: "Re: iptables / reject vs drop"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
