From: Nathaniel Hall <nathaniel.d.hall@gmail.com>
To: Brent Clark <bclark@eccotours.co.za>
Cc: netfilter@lists.netfilter.org
Subject: Re: REJECT --reject-with icmp-host-unreachable vs DROP
Date: Mon, 27 Mar 2006 09:24:00 -0600 [thread overview]
Message-ID: <44280390.8060502@gmail.com> (raw)
In-Reply-To: <4427A69D.6010702@eccotours.co.za>
Brent Clark wrote:
> Hi all
>
> Just something I would like to pick someones brain with.
>
> If I use the default policy of drop, BUT at the end of the chain use
> the following
>
> $IPT -t filter -A FORWARD -j REJECT --reject-with icmp-host-unreachable
>
> Would that be ok, or does is another ICMP message I can reply back with.
>
> Reason I ask this is because I find that by using the default policy
> (DROP), some applications keep retrying to make a
> connection etc.
> Where as this approach, seems to slow things down (I stand to
> correction on this).
>
> If someone could maybe help me understand this or assit I would be
> most grateful.
I recommend using --reject-with icmp-host-unreachable and here are the
reasons:
1) What is the only reason you would receive nothing? When a firewall
is in place. That's it. Everything else you either get a host
unreachable, network unreachable, port unreachable, reset, etc. 2) What
do DDoS attacks rely on? Slow/no connection resets. If your address
space is spoofed and you do not send a reject or reset message, the
victim still has the connection open. You are aiding the cracker with
their DDoS by DROPing the connection and not rejecting/reseting it.
3) If I remember right, it is against RFC to DROP a connection without
rejecting/reseting it. If anybody could point me to the correct RFC,
that would be great.
--
Nathaniel Hall, GSEC GCFW GCIA
prev parent reply other threads:[~2006-03-27 15:24 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-03-27 8:47 REJECT --reject-with icmp-host-unreachable vs DROP Brent Clark
2006-03-27 9:21 ` Martijn Lievaart
2006-03-27 13:07 ` Menno Smits
2006-03-27 15:24 ` Nathaniel Hall [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44280390.8060502@gmail.com \
--to=nathaniel.d.hall@gmail.com \
--cc=bclark@eccotours.co.za \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.