Re: [Fedora] Re: iptables: drop or reject?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Rahul Sundaram wrote:
> Ashley M. Kirchner wrote:
>> Manuel Arostegui Ramirez wrote:
>>> In this case, I would choose to drop packets since they're not going
>>> to stop, it's better to do not increase the packets on your interface.
>>>   
>>    That's kinda what I thought too, however as far as the sending
>> machine is concerned, because it didn't get anything back, it could
>> potentially see it as a successful delivery and thus continue to
>> deliver more and more crap.  On the other hand, if it does get some
>> kind of reset...
>>
>>    I don't know.  I certainly don't want to increase my traffic, but
>> I'd also don't want to give them any reason to believe that they
>> reached me and then increase the amount of crap they're sending.
> 
> By rejecting packets, you would be explicitly confirming that you are a
> active connection instead of being a blackhole which like any spam you
> confirm can increase traffic. As you can see, this can play out both ways.

Is that really true?

When it comes to dropping packets, every packet is dropped.  That means that
the initial sync packet that gets the handshake going will be dropped.
Thus, the receiving side will not send sync-ack and a connection will never
be established.  This is also true on the reject side...but in the case of a
drop the tcp/ip layer will wait for a timeout on the sending side slowing
them down a bit.  In both cases the sending application would have to care
about these things.  If it is email/smtp we are talking about...most
spamming SW doesn't seem to care and will retry.  In both cases, the message
they would be trying to send out would remain in the queue.  This is the
hint/key to the application deciding if the other end has gotten the
message/email.  (Remember, we are operating on 2 levels in the stack here.)

The act of dropping packets is generally setup as application agnostic.  So,
if you are going to drop packets from a given source you will be doing it on
all ports.

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux