On Wed, Aug 11, 2004 at 12:30:50PM -0400, Jason Opperisano wrote: > is not narrowing down the interface/source, and is hit before any connection tracking occurs. i've never used "-j REJECT --reject-with tcp-reset" without also specifying "--syn" as it could have very odd results (and also doesn't make sense from a TCP perspective)... Really? I thought "-j REJECT --reject-with tcp-reset" would always do the right thing, even without specifying --syn (of course, it wouldn't be a bad idea to specify it anyway). I have several systems running fine without the --syn option explicitly mentioned. Could any of the "core" guys say if my assumption is wrong? Carlos
