Re: iptables: DROP or REJECT?

From: Grant (g_r_a_n_t__at_dodo.com.au)
Date: 10/07/05

  • Next message: suze: "iptables disables outbound traffic"
    Date: Sat, 08 Oct 2005 07:54:16 +1000
    
    

    On Fri, 07 Oct 2005 08:17:34 -0400, Lew Pitcher <Lew.Pitcher@td.com> wrote:
    >
    >FWIW, my firewall rules explicitly DROP any packets from the internet to
    >my LAN that don't meet my requirements for passage (ie trying to access
    >priviledged ports, coming from a blacklisted IP address, etc).

    Yes, I have a blacklist too, just DROP 'em, part of reducing traffic
    from stupid web-crawlers, drop by entire 'whois' CIDR block.

    >
    >OTOH, my firewall rules explicitly REJECT any packets from my LAN to the
    >internet that don't meet my requirements for passage (i.e. trying to
    >send to a private IP range or trying to send one of the ICMP messages
    >I've blacklisted).

    Was under impression one could only _drop_ ICMPs, not reject them,
    per RFC <mumble>.

    As far as rejecting goes, when I tested various reject options I found
    some types of reject message types do increase unwanted traffic, the
    current 'be reasonable then drop' workings has been in place for some
    time, I become less aware of the firewall needing change.

    Grant.


  • Next message: suze: "iptables disables outbound traffic"

    Relevant Pages

    • RE: Firewall Rule Set not allowing access to DNS servers?
      ... > My LAN is configured with static IP addresses, ... > I have full connectivity with the internet from every machine on my ... > # Allow out access to my ISP's Domain name server. ... > # Interrogate packets originating from the public internet ...
      (freebsd-questions)
    • problem with dmz firewall script - cant connect to inet via plan
      ... Everything is fine but I can not access the internet from my private ... I have a dmz and seperate trusted private lan multihomed on the ... # Create chain for bad tcp packets ...
      (comp.os.linux.security)
    • Re: w2k and Anti-virus software, firewall etc
      ... A network enumerating worm could, for instance, generate exploit packets ... devices (including computers) within the LAN. ... It works just like the internet does, ...
      (microsoft.public.security)
    • RE: Error with daemon natd
      ... win boxes on your lan then you would want to install DHCP server on ... need to access the public internet through your gateway. ... # Only valid response to the packets I've sent out are allowed in. ... # the "dynamic" rules table by an allow keep-state statement. ...
      (freebsd-questions)
    • Re: Linux als Router
      ... # Enter all trusted network interfaces here. ... # which should be available to the internet and set FW_ROUTE to yes. ... space separated list of ports, ... # Packets to silently reject without log message. ...
      (de.comp.os.unix.linux.misc)