Re: [exim] Deny vs. Drop

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Jakob Hirsch
Dátum:  
Címzett: Daniel
CC: exim-users
Tárgy: Re: [exim] Deny vs. Drop
Quoting Daniel:

> incomming connections, and REJECT outgoing connections. DROP will send
> the packet to nowhere making you somewhat invisible and make the
> initiating connection wait and wait (this is good) However, you should


No, that's security by obscurity, which is not good and its careless use
have lead to problems like the infamous clamp-mss hacks.
Instead of simple blackholing, one should rate-limit icmp-unreachable
and tcp rst, multi-level if possible, e.g. low per-IP limit and higher
overall limit.