> Easy solution:
>
> deny (connection reset) rather than drop the connections
I meant reject. From the man page:
REJECT
This is used to send back an error packet in response to
the matched packet: otherwise it is equivalent to DROP so
it is a terminating TARGET, ending rule traversal. This
target is only valid in the INPUT, FORWARD and OUTPUT
chains, and user-defined chains which are only called from
those chains. The following option controls the nature of
the error packet returned:
--reject-with type
The type given can be icmp-net-unreachable, icmp-
host-unreachable, icmp-port-unreachable, icmp-
proto-unreachable, icmp-net-prohibited or icmp-
host-prohibited, which return the appropriate ICMP
error message (port-unreachable is the default).
The option tcp-reset can be used on rules which
only match the TCP protocol: this causes a TCP RST
packet to be sent back. This is mainly useful for
blocking ident (113/tcp) probes which frequently
occur when sending mail to broken mail hosts (which
won't accept your mail otherwise).
Why connection reset? For idiots at the other end who firewall all
ICMP.
David.
