Re: iptables / reject vs drop
From: Tim Haynes (usenet-20041029_at_stirfried.vegetable.org.uk)
Date: 10/29/04
- Next message: Daniel Huang: "public key access error"
- Previous message: Tim Haynes: "Re: Automatic blocking of attackers' IP"
- In reply to: Bruno Wolff III: "Re: iptables / reject vs drop"
- Next in thread: Moe Trin: "Re: iptables / reject vs drop"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 29 Oct 2004 20:30:26 +0100
Bruno Wolff III <bruno@cerberus.csd.uwm.edu> writes:
[snip]
> It is usually a good idea to send back TCP RST packets for the AUTH port.
> Not doing so will slow down mail transfers from sites that check to see
> if an ident server is running. Instead of failing immediately, the
> connection attempt will need to timeout.
And ftp and IRC and anything else that uses an identd lookup...
> The security advantage of not sending back TCP RST packets is pretty low.
> It isn't worth screwing up any of your services by not sending them.
No point in contributing to a DoS, either of your own or anyone else's
network.
~Tim
--
Remember, fish are FOOD not FRIENDS! |piglet@stirfried.vegetable.org.uk
|http://spodzone.org.uk/
- Next message: Daniel Huang: "public key access error"
- Previous message: Tim Haynes: "Re: Automatic blocking of attackers' IP"
- In reply to: Bruno Wolff III: "Re: iptables / reject vs drop"
- Next in thread: Moe Trin: "Re: iptables / reject vs drop"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
