Szerző: Jakob Hirsch Dátum: Címzett: Daniel CC: exim-users Tárgy: Re: [exim] Deny vs. Drop
Quoting Daniel:
> incomming connections, and REJECT outgoing connections. DROP will send
> the packet to nowhere making you somewhat invisible and make the
> initiating connection wait and wait (this is good) However, you should
No, that's security by obscurity, which is not good and its careless use
have lead to problems like the infamous clamp-mss hacks.
Instead of simple blackholing, one should rate-limit icmp-unreachable
and tcp rst, multi-level if possible, e.g. low per-IP limit and higher
overall limit.