Re: iptables / reject vs drop
From: Andrew Schulman (andrex_at_deadspam.com)
Date: 10/27/04
- Next message: Heinz Ekker: "Re: iptables / reject vs drop"
- Previous message: Bruno Wolff III: "Re: iptables / reject vs drop"
- In reply to: Bruno Wolff III: "Re: iptables / reject vs drop"
- Next in thread: Tim Haynes: "Re: iptables / reject vs drop"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 27 Oct 2004 13:42:21 -0400
> It is usually a good idea to send back TCP RST packets for the AUTH port.
> Not doing so will slow down mail transfers from sites that check to see
> if an ident server is running. Instead of failing immediately, the connection
> attempt will need to timeout.
Also, many IRC servers query AUTH and will wait forever for a response
if they don't at least get a RST back, effectively denying your
connection.
> The security advantage of not sending back TCP RST packets is pretty low.
> It isn't worth screwing up any of your services by not sending them.
Probably true.
-- To reply by email, change "deadspam.com" to "alumni.utexas.net"
- Next message: Heinz Ekker: "Re: iptables / reject vs drop"
- Previous message: Bruno Wolff III: "Re: iptables / reject vs drop"
- In reply to: Bruno Wolff III: "Re: iptables / reject vs drop"
- Next in thread: Tim Haynes: "Re: iptables / reject vs drop"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
