All of lore.kernel.org
 help / color / mirror / Atom feed
From: David Cannings <lists@edeca.net>
To: netfilter <netfilter@lists.netfilter.org>
Subject: Re: FW: Filtering multiple networks
Date: Mon, 31 May 2004 13:19:33 +0000	[thread overview]
Message-ID: <200405311319.33568.lists@edeca.net> (raw)
In-Reply-To: <20040531104524.GA26731@home.manuelm.org>

On Monday 31 May 2004 10:45, Frank Gruellich wrote:
> * Markus Zeilinger <mz@sea.uni-linz.ac.at> 31. May 04:
> > - Thy is DROP bad here? As I see REJECT would send an error message
> > back to the source, but this would not make any sense on packets
> > coming on the WAN interface with private IP addresses, or am I wrong?
> It would be kinda polite to point the sender of the packets to his
> misconfigured box.  REJECT is like yelling 'Hey, you are wrong!'
> DROPping is like closing your eyes to somebodys problem.  Anyway, it's
> you decision right here.

Can you please explain how a TCP RST or ICMP message is supposed to get 
back to a spoofed RFC 1918 (or otherwise reserved) address?  Sending 
replies of any sort out of a WAN interface onto the Internet to a 
reserved or private address is very bad practice.  Some would even argue 
that sending to unallocated space is bad.  If border routers don't drop 
such packets, your firewall most certainly should.

David


  reply	other threads:[~2004-05-31 13:19 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-05-31 10:32 FW: Filtering multiple networks Markus Zeilinger
2004-05-31 10:44 ` David Cannings
2004-05-31 10:45 ` Frank Gruellich
2004-05-31 13:19   ` David Cannings [this message]
2004-05-31 19:23     ` Frank Gruellich
2004-05-31 20:59       ` David Cannings

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200405311319.33568.lists@edeca.net \
    --to=lists@edeca.net \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.