[Gllug] iptables (newbie) question
Doug Winter
doug at pigeonhold.com
Sun May 2 13:55:13 UTC 2004
On Sun 02 May Murray wrote:
> The only material difference I can see is that the initial setup uses
> REJECT in some cases to send a "not here" response, where as the shorter
> second option just pretends it's not there at all. This seems to me a
> better option. Am I missing something?
It's generally better to send the appropriate response according to the
protocol. If a TCP port is closed, send a port not reachable message so
the machine trying to contact it knows so. Similarly for udp and icmp.
First, this is what the protocols are designed for in the first place,
so you aren't breaking anything.
Second this can help disguise the fact you are filtering, which may be
helpful (just dropping packets doesn't make it look like you aren't
there, because if you weren't there the last hop router would be
responding, rather than just dropping packets on the floor).
Finally it can really help with some things (for example, MTAs that make
ident queries to sending MTAs will hang for a very long time waiting for
responses if you don't send a port-unreachable).
The naive firewall setup that just drops anything it doesn't like on
the floor is to be avoided really.
doug.
--
http://adju.st/ | "I have never predicted anything, and I
6973E2CF: 2C95 66AD | never will".
1596 37D2 41FC 609F | -- Paul Gascoigne
76C0 A4EC 6973 E2CF |
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list