Re: iptables: drop or reject?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: "Ashley M. Kirchner" <ashley@xxxxxxxxxx>
Subject: Re: iptables: drop or reject?
From: Bruno Wolff III <bruno@xxxxxxxx>
Date: Fri, 26 Oct 2007 09:47:58 -0500
Cc: For users of Fedora Core releases <fedora-list@xxxxxxxxxx>
In-reply-to: <4720D854.2010801@xxxxxxxxxx>
References: <4720D854.2010801@xxxxxxxxxx>
Reply-to: For users of Fedora <fedora-list@xxxxxxxxxx>
User-agent: Mutt/1.4.2.1i

On Thu, Oct 25, 2007 at 11:54:28 -0600,
  "Ashley M. Kirchner" <ashley@xxxxxxxxxx> wrote:
> 
>    To drop or not to drop, that is the question.  If there's a server 
> out there sending spam e-mail, and I use iptables to block it, is it 
> best to simply drop the packet, or should I do a '--reject-with 
> icmp-host-unreachable' (or 'icmp-port-unreachable') or just a 'tcp-reset'?

Dropping packets from the ident port can potentially cause problems. Sometimes
servers will check back there to get a user id (this goes back to when people
mostly shared computers, it is pretty pointless today) and if you drop packets
things may stall until the connection times out rather than giving up
immediately after being told ident isn't available.

Follow-Ups:
- Re: iptables: drop or reject?
  - From: John Summerfield
- Re: [Fedora] Re: iptables: drop or reject?
  - From: Ashley M. Kirchner

References:
- iptables: drop or reject?
  - From: Ashley M. Kirchner

Prev by Date: Re: smartd.conf changes lost
Next by Date: Re: Postgres: DB restoration from splinters.
Previous by thread: Re: iptables: drop or reject?
Next by thread: Re: [Fedora] Re: iptables: drop or reject?
Index(es):
- Date
- Thread

[Index of Archives] [Current Fedora Users] [Fedora Desktop] [Fedora SELinux] [Yosemite News] [Yosemite Photos] [KDE Users] [Fedora Tools] [Fedora Docs]

Powered by Linux