Re: Rejecting udp

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 3 Mar 2003 17:38:06 +0000, 
Athan <netfilter@miggy.org> wrote in message 
<20030303173805.GB24602@miggy.org>:

> On Mon, Mar 03, 2003 at 06:28:01PM +0100, Michael K wrote:
> > I saw this rule someware on the net.
> > $IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 137 -j REJECT
> > 
> > Whats the use to use reject on a UDP packet? Isn't udp
> > connection-less A more correct shouldn't that be "-j DROP"? Or am I
> > thinking wrong here?
> 
> REJECT is "return some ICMP code saying 'no go'" usually something
> like 'port unreachable'.
> DROP is "just forget about this packet, send nothing back to the
> source".

...the latter is appropriate for your external interface to evade 
scriptkiddies looking for easy enough prey, while you may prefer 
the former for your internal lan wintendo users, to help them avoid 
stalling their wintendos on trying to share files.
 
> Thus the difference has nothing to do with connectionful vs.
> connectionless.
> 
> -Ath


-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux