On Tue, 2005-02-08 at 04:32, Jose Maria Lopez wrote: > I don't have the documentation handy, but it said making just a > DROP could lead you to being DOS attacked. Have anybody heard > something about this? i propose that the exact opposite is true. why should i make my firewall undertake the effort of generating a RST packet for every yahoo on the Internet that wants to scan my IP range for TCP 139, 445, etc. DROP-ing a packet doesn't take any real effort on the firewall's part; whereas generating a RST packet adds at least some overhead--which in the extreme case could be significant. -j -- "Here are your messages: 'You have thirty minutes to move your car.' 'You have ten minutes to move your car.' 'Your car has been impounded.' 'Your car has been crushed into a cube.' 'You have thirty minutes to move your cube.'" --The Simpsons
