On Monday 31 May 2004 11:32, Markus Zeilinger wrote: > - Thy is DROP bad here? As I see REJECT would send an error message > back to the source, but this would not make any sense on packets coming > on the WAN interface with private IP addresses, or am I wrong? You are not wrong. Personally I would DROP any bogons coming in on a WAN interface. REJECT does not make sense in this case, if they are unallocated or hijacked blocks the replies will not make it anyway. If they are RFC1918 addresses that you are using internally, the replies would be sent to your LAN which would not be desirable. David
