iptables: drop or reject?
Bruno Wolff III
bruno at wolff.to
Fri Oct 26 14:47:58 UTC 2007
On Thu, Oct 25, 2007 at 11:54:28 -0600,
"Ashley M. Kirchner" <ashley at pcraft.com> wrote:
>
> To drop or not to drop, that is the question. If there's a server
> out there sending spam e-mail, and I use iptables to block it, is it
> best to simply drop the packet, or should I do a '--reject-with
> icmp-host-unreachable' (or 'icmp-port-unreachable') or just a 'tcp-reset'?
Dropping packets from the ident port can potentially cause problems. Sometimes
servers will check back there to get a user id (this goes back to when people
mostly shared computers, it is pretty pointless today) and if you drop packets
things may stall until the connection times out rather than giving up
immediately after being told ident isn't available.
More information about the fedora-list
mailing list