On 11.01.2010 13:02, Lars Nooden wrote: > I'd like to add the ability to use the REJECT target as a default policy > to the netfilter / iptables wishlist. > > Using REJECT as a default is currently possible as a kludge a few steps > would be saved by allowing it as a default policy. Perhaps that might > even speed up some filtering in some cases. > > A good (IMHO) discussion of DROP vs REJECT has been written by Peter Benie : > http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject > imagine you get scanned / ddosed / synflooded. For every invalid packet coming in, you send out an icmp packet. Your host and line could get quite busy with just sending irrelevant responses, making the dos attack even more successful. you will not have control over how many (limit) and what type of icmp error is through'n out (would need new policy handler). that's why i personally prefer to DROP to untrusted, while placing REJECT rules with a limit before the drop-policy, to trusted sides. regards Mart -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
