I thought we answered this already. If you use -j REJECT then -j DROP will never be hit. So that second line becomes useless. If you want to slow things down, check out -j TARPIT module (which requires kernel changes). Gary Wayne Smith > -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter- > bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Brent Clark > Sent: Tuesday, February 21, 2006 8:05 AM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: --reject-with icmp-host-unreachable VS DROP > > Hi all > > I have a default policy of DROP for the INPUT, OUTPUT AND FORWARD. > > I was thinking what just before the end of a FORWARD chain, I would use > something like this. > > $IPT -t filter -A FORWARD -j -j REJECT --reject-with icmp-host-unreachable > $IPT -t filter -A FORWARD -j DROP > > Would anyone be kind to advise me on whether this is ok. > > I defianltly think it will slow some applications from continuously > retrying. > > Kind Regards > Brent Clark
