Really? I thought "-j REJECT --reject-with tcp-reset" would always do the right thing, even without specifying --syn (of course, it wouldn't be a bad idea to specify it anyway). I have several systems running fine without the --syn option explicitly mentioned. Could any of the "core" guys say if my assumption is wrong? Carlos My views are this: If you are going to reset a TCP connection, it is best to do so at the earliest possible moment of a TCP session, preferably after the initial syn of the three-way handshake. When I use "-j REJECT --reject-with tcp-reset" it is always in response to a NEW (thus syn) packet. Perhaps Mr. Stone will weigh in on this. If Chris Brenton is listening in, I would like to hear his views on this as well.
