[LARTC] REJECTing: How and When to use What type of reply.

[Mike Mestnik <cheako911@yahoo.com>]

For this thread I'd like to FOCUS on rejecting bad traffic and not on dropping.  The first case
I'd like to discuss is where all but a handful of public web sites are allowed for ought going
connections.  A typical NAT setup is used where all the users sit behind a firewall, some have
full access to the Internet but most have restricted access.  I'd also like to bring in other
minds into the discussion, and not have it be a linux only problem.

Here is the big deal.  A web page like www.nasdaq.com is considered valid, so traffic to it's IP
208.249.117.71 is ACCEPTed.  However this site pulles content from an unknown group of other
sites, unfortunately not ACCEPTed.  In the mean time untill all the sites can be added it's not
proper to simply DROP these SYN packets.  This is where this concerns EVERYONE, the client
software needs to get the right REJECT from the firewall.  Now How and When to use What type of
reply becomes a big deal.

I'd like to open this discussion up to every one who has 2 cents and/or another good use of REJECT
vs DROP.  For my setup I have winblows computers running both IE and Netscape behind a generic
firewall *Blush*.  The two types of REJECTs I have tested are "TCP RST" and ICMP (Port
Unreachable), are there any others?

This thread may be moved to another list where appropriate.


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/