Reject will send either a Reset (RST) packet (TCP)
or an ICMP reject (UDP)
Drop will silently ignore the packet's existence.
The sender will get no response at all
If you have no listening ports, and everything that is not
associated with an outgoing connection is DROPped (as opposed
to rejected) it makes it rather hard for a random attacker
to realize that your
Generally I would say that errant packets from 'presumed friendly'
machines can probably be safely rejected. Packets from 'presumed
hostile' addresses should probably be silent dropped.
Jens Knoell wrote:
I've rate-limited the incoming connections to some ports. The rate
limiting works, but it doesn't log to syslog... other non-rate-limiting
rules where LOG targets exist work, so I know logging in principle works.
What am I missing? No LOG target for this module? :)
Also, is there any advantage to use DROP instead of REJECT? Just
curious.
--
Stephen Samuel +1(604)450-0066 samnospam@xxxxxxxxxxx
http://www.bcgreen.com/
Powerful committed communication. Transformation touching
the jewel within each person and bringing it to light.
-
: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
-
: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
