Am Tuesday, den 31 July hub Grant Taylor folgendes in die Tasten: > >But what's wrong with the two rules? > Nothing. The old saying "If it isn't broke, don't fix it..." with it's > third stanza "...optimize it!" comes to mind. :) [...] > >You might have noticed that I've changed the "DROP" to "REJECT" with > >fitting type which will make the live of you and other people easier > >when debugging anything related to ssh access to this box. > The problem with this is that if you have an IP address of e.f.g.h, the > first rule will reject the connection. Negative logic does not work > quite as you would expect it to. You have to work with inverted > positive logic below (invert the result of the entire set of logic). Argh. I should not write mails when totally tired. I'm really sorry for the fnord. Thanks for getting it right. > There is also the fact that fewer and fewer things know how to handle > error messages like this, or if they do they do not display them to the > end user. (Thanks M$!) You may have better luck with a basic REJECT > target than one that specifies the ICMP error code unless you know that > you are working with a client application that can correctly interpret. [...] You're sadly right here, too. But I have to state that tcpdump (which most probably will be most often used when debugging network problems) shows this correct. I think ethereal^Wwhireshark will do so, too. Ciao Max -- Follow the white penguin.
