On Fri, 2006-01-20 at 19:20 -0300, Horst von Brand wrote: > Jurgen Kramer <gtm.kramer@xxxxxxxxxxxx> wrote: > > I noticed that with FC5t2 the iptables firewall still has the -j REJECT > > --reject-with icmp-host-prohibited rule instead of a more secure -j > > DROP. > > What is the reason behind this? > > DROP is extremely rude to the other end, which times out wondering what > happened to the stuff sent. > Maybe rude but I think this is the default behavior for (most) commercial firewalls. Most people will disable icmp echo replies on machines connected to the net so script kiddies won't find them easily but if the firewall just answers to every knock on any random port that won't help. > How would a nice error message back saying them they aren't allowed to do > $WHATEVER be less secure than just letting them hang out to dry? The end > result is the same... > -- > Dr. Horst H. von Brand User #22616 counter.li.org > Departamento de Informatica Fono: +56 32 654431 > Universidad Tecnica Federico Santa Maria +56 32 654239 > Casilla 110-V, Valparaiso, Chile Fax: +56 32 797513 > -- fedora-test-list mailing list fedora-test-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list