On Tue, May 28, 2002 at 03:10:12PM -0400, Ramin Alidousti wrote: > On Tue, May 28, 2002 at 09:00:33PM +0200, Axel Christiansen wrote:
<snip> > But, you're right. The decision between DROP and REJECT is a very > tough one. Some two or three weeks ago we were pleading for DROP > for some valid reasons and now it seems that we have good reasons > for REJECT. But, still, I'd prefer the DROP. It's less expensive > and besides who cares that they know I think you can do either, but you have to completely go for either option. If you DROP you have to eat every packet that isn't legitimate, and convince the router in front of the protected host to generate the appropriate ICMP Host Unreachables when it sees unauthorised packets. Or fake them yourself, but that leaves you open to TTL related problems. If you REJECT then you respond with the appropropriate ICMP or TCP errors when hit with UDP and TCP connections respectively. -- FunkyJesus System Administration Team
