On Friday 05 May 2006 18:07, Marc Perkel wrote:
> So - if I'm denying a connection then why shouldn't I just drop the
> connection? Dropping the connection will reduce the number of open
> connections and not count on the sender to close the connection.
>
> What am I missing?
If you're referring to firewall rules, you typically want to DROP
incomming connections, and REJECT outgoing connections. DROP will send
the packet to nowhere making you somewhat invisible and make the
initiating connection wait and wait (this is good) However, you should
probably REJECT connections from places you trust (like your lan) so
your users aren't waiting like the bad guys.
Additionally, AUTH packets (tcp 113) tend to be issued by mail servers
and should either be accepted or rejected with tcp-reset or you'll end
up with mail client timeouts:
iptables -A INPUT -i eth0 -p tcp \
-s 0/0 --sport $UNPRIVPORTS \
-d $MYIP --dport 113 \
-j REJECT --reject-with tcp-reset
--
The world needs more Canada
- Bono
