On Mon, 3 Mar 2003 17:38:06 +0000, Athan <netfilter@miggy.org> wrote in message <20030303173805.GB24602@miggy.org>: > On Mon, Mar 03, 2003 at 06:28:01PM +0100, Michael K wrote: > > I saw this rule someware on the net. > > $IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 137 -j REJECT > > > > Whats the use to use reject on a UDP packet? Isn't udp > > connection-less A more correct shouldn't that be "-j DROP"? Or am I > > thinking wrong here? > > REJECT is "return some ICMP code saying 'no go'" usually something > like 'port unreachable'. > DROP is "just forget about this packet, send nothing back to the > source". ...the latter is appropriate for your external interface to evade scriptkiddies looking for easy enough prey, while you may prefer the former for your internal lan wintendo users, to help them avoid stalling their wintendos on trying to share files. > Thus the difference has nothing to do with connectionful vs. > connectionless. > > -Ath -- ..med vennlig hilsen = with Kind Regards from Arnt... ;-) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case.
