Re: iptables: DROP or REJECT?

• Previous message: Moe Trin: "Re: iptables: DROP or REJECT?"
• In reply to: Lew Pitcher: "Re: iptables: DROP or REJECT?"
• Next in thread: Moe Trin: "Re: iptables: DROP or REJECT?"
• Reply: Moe Trin: "Re: iptables: DROP or REJECT?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 08 Oct 2005 07:54:16 +1000

On Fri, 07 Oct 2005 08:17:34 -0400, Lew Pitcher <Lew.Pitcher@td.com> wrote:
>
>FWIW, my firewall rules explicitly DROP any packets from the internet to
>my LAN that don't meet my requirements for passage (ie trying to access
>priviledged ports, coming from a blacklisted IP address, etc).

Yes, I have a blacklist too, just DROP 'em, part of reducing traffic
from stupid web-crawlers, drop by entire 'whois' CIDR block.

>
>OTOH, my firewall rules explicitly REJECT any packets from my LAN to the
>internet that don't meet my requirements for passage (i.e. trying to
>send to a private IP range or trying to send one of the ICMP messages
>I've blacklisted).

Was under impression one could only _drop_ ICMPs, not reject them,
per RFC <mumble>.

As far as rejecting goes, when I tested various reject options I found
some types of reject message types do increase unwanted traffic, the
current 'be reasonable then drop' workings has been in place for some
time, I become less aware of the firewall needing change.

Grant.

• Previous message: Moe Trin: "Re: iptables: DROP or REJECT?"
• In reply to: Lew Pitcher: "Re: iptables: DROP or REJECT?"
• Next in thread: Moe Trin: "Re: iptables: DROP or REJECT?"
• Reply: Moe Trin: "Re: iptables: DROP or REJECT?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]