Tarragon Allen, 2003-09-20 01:20:19 +0200 :
[...] > The only disctinction between the two that I make is that a REJECT > is polite, and a DROP is rude. Also, a REJECT says to the other end > "yes, there is a host there" whereas a DROP say "I got nothing, > looks like there's nothing there". I agree with that. > For home connections I tend to just DROP everything that I don't > want - this makes it slower for people to scan, as they aren't > getting a valid response from every non-open port on my system. I have a slightly more complex rule: I try to maintain a minimum level of politeness, while limiting the amount of outgoing bandwidth I use (I resent the A in ADSL). So if someone accidentally tries to connect to me, he gets a REJECT, but if I get scanned, or attacked, at most one REJECT packet will be sent out every second, allowing for the iptables burst mechanism which I'm not totally clear with yet. Voil�! Polite with good guys, ignoring the baddies, and not using much outgoing bandwidth. I agree this is an approximation of what really happens (good guys can be ignored too if they happen to try to connect during a scan), but it works for me. Roland. -- Roland Mas Sauvez les castors, plantez des arbres.
