> Hi, > > We've a recent install of iptables and came across the broken ms tcp > problem. Um, i though new, not syn is a result of a conntrack entry expiry. Ofcourse besides 'on purpose' packet crafting or scanning, etc. > I was wondering, would rejecting the packet be faster than > dropping it for the client? Well, yes. The client's tcp stack on receiving either the tcp rst or icmp unreach will inform the applicaton about it. Now it's up to the client's application (eg. IE) to handle to network error properly. Anyway dropping the packet will get you nowhere, you'll be waiting as much as the clients application (or the tcp stack) timeout is. Or the user's patience is :) > client will wait for a timeout before sending a proper syn packet. Really? ms ie sending unproper syn packets? What is so unproper about it? It must be something else. > IE too dumb to recognise the reject? Well, try -j REJECT --reject-with tcp-reset, it will result as IE finding that the port is closed. Also this works great for blocking ads in messenger software, just have to know the ip/port of the ads. Regards, Maciej
