From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stephen Samuel Subject: Re: LOG target for rate-limiting on iptables not working...? Date: Thu, 02 Mar 2006 19:12:17 -0800 Message-ID: <4407B411.2050800@bcgreen.com> References: <33006.10.0.0.113.1141342014.squirrel@webmail.surefoot.com> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-reply-to: <33006.10.0.0.113.1141342014.squirrel@webmail.surefoot.com> Sender: linux-admin-owner@vger.kernel.org List-Id: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: Jens Knoell Cc: linux-admin@vger.kernel.org Reject will send either a Reset (RST) packet (TCP) or an ICMP reject (UDP) Drop will silently ignore the packet's existence. The sender will get no response at all If you have no listening ports, and everything that is not associated with an outgoing connection is DROPped (as opposed to rejected) it makes it rather hard for a random attacker to realize that your Generally I would say that errant packets from 'presumed friendly' machines can probably be safely rejected. Packets from 'presumed hostile' addresses should probably be silent dropped. Jens Knoell wrote: >I've rate-limited the incoming connections to some ports. The rate >limiting works, but it doesn't log to syslog... other non-rate-limiting >rules where LOG targets exist work, so I know logging in principle works. >What am I missing? No LOG target for this module? :) > >Also, is there any advantage to use DROP instead of REJECT? Just >curious. -- Stephen Samuel +1(604)450-0066 samnospam@bcgreen.com http://www.bcgreen.com/ Powerful committed communication. Transformation touching the jewel within each person and bringing it to light. - To unsubscribe from this list: send the line "unsubscribe linux-admin" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html