First off, you have a double -j in there. Secondly, REJECT is similar, but not the same as DROP. In either case, REJECT is the end of the chain. So it's useless to put the -j DROP there. But the first one should be fine. If you are worried about continued DOS attacks, etc, look at -j TARPIT. It requires you to recompile the kernel but it's the best thing for slowing people down. Gary Smith On Tue, 2006-02-21 at 18:05 +0200, Brent Clark wrote: > Hi all > > I have a default policy of DROP for the INPUT, OUTPUT AND FORWARD. > > I was thinking what just before the end of a FORWARD chain, I would use something like this. > > $IPT -t filter -A FORWARD -j -j REJECT --reject-with icmp-host-unreachable > $IPT -t filter -A FORWARD -j DROP > > Would anyone be kind to advise me on whether this is ok. > > I defianltly think it will slow some applications from continuously retrying. > > Kind Regards > Brent Clark > >
