Am Sa, den 24.07.2004 schrieb Jorge Fábregas um 22:20: > It didn't say that those ports were open. It probably means that he has some > ACL (access control list) on the server, thru inetd, xinetd or the daemons > themselves...and when someone attempts these ports on his machine you're just > denied access (but that's the problem: you know they are there!). That's the > main difference between REJECT and DROP when you use iptables. With DROP the > port scanner will not receive a response back. With REJECT you'll get a > response back. Youl should avoid REJECT...and always use DROP (it's way > better..as you're completely STEALTH). The only reason for using REJECT > (that I can think of) is for trouble-shooting purposes. No, DROP is some kind of "a-social" as it causes timeout delays even for users with legitimate interests on connecting services. And you won't get any security improvements by using DROP instead of REJECT. But I don't want to restart a discussion about that topic in special again. We had this some months ago. Alexander -- Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13 Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.6-1.435.2.3.ad.umlsmp Serendipity 22:27:12 up 2 days, 7:15, load average: 0.09, 0.08, 0.05
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
