On Monday 31 May 2004 10:45, Frank Gruellich wrote: > * Markus Zeilinger <mz@xxxxxxxxxxxxxxxxxx> 31. May 04: > > - Thy is DROP bad here? As I see REJECT would send an error message > > back to the source, but this would not make any sense on packets > > coming on the WAN interface with private IP addresses, or am I wrong? > It would be kinda polite to point the sender of the packets to his > misconfigured box. REJECT is like yelling 'Hey, you are wrong!' > DROPping is like closing your eyes to somebodys problem. Anyway, it's > you decision right here. Can you please explain how a TCP RST or ICMP message is supposed to get back to a spoofed RFC 1918 (or otherwise reserved) address? Sending replies of any sort out of a WAN interface onto the Internet to a reserved or private address is very bad practice. Some would even argue that sending to unallocated space is bad. If border routers don't drop such packets, your firewall most certainly should. David
