For this thread I'd like to FOCUS on rejecting bad traffic and not on dropping. The first case I'd like to discuss is where all but a handful of public web sites are allowed for ought going connections. A typical NAT setup is used where all the users sit behind a firewall, some have full access to the Internet but most have restricted access. I'd also like to bring in other minds into the discussion, and not have it be a linux only problem. Here is the big deal. A web page like www.nasdaq.com is considered valid, so traffic to it's IP 208.249.117.71 is ACCEPTed. However this site pulles content from an unknown group of other sites, unfortunately not ACCEPTed. In the mean time untill all the sites can be added it's not proper to simply DROP these SYN packets. This is where this concerns EVERYONE, the client software needs to get the right REJECT from the firewall. Now How and When to use What type of reply becomes a big deal. I'd like to open this discussion up to every one who has 2 cents and/or another good use of REJECT vs DROP. For my setup I have winblows computers running both IE and Netscape behind a generic firewall *Blush*. The two types of REJECTs I have tested are "TCP RST" and ICMP (Port Unreachable), are there any others? This thread may be moved to another list where appropriate. __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
