On 12.01.2010 14:31, Lars Nooden wrote: > Gáspár Lajos wrote: >> IMHO: >> I do not like to waste resources. >> An "unwanted/unallowed" incoming packet is already wasting time/bandwidth. >> A reply (ICMP or whatever else) to this makes you waste your precious >> resources. >> (Think about the ASYMMETRIC DSL) > > Don't misunderstand the request. It is not a request to prohibit the > possibility of using DROP as the default policy for chain, but one of > *also* allowing use of REJECT as a default policy for a chain. It is > simply easiest, from a configuration standpoint, to set default with > a "-P" > > There are times and conditions when DROP will be the appropriate > default, there are times and conditions when REJECT is the appropriate > default. Currently REJECT can be done by adding it to the end of a > chain, effectively making it default. > > Regards > /Lars well, if you write a new policy handler, i've got some feature requests :) 1: allow to set policies on custom (user created) chains (iptables -N chain -P ACCEPT/DROP/REJECT). 2: for REJECT give ways to limit/hashlimit/recent match, with fallback to DROP. i.e. iptables -N foo -P REJECT --reject-with ... -m hashlimit ... -m recent ... --policy-fallback DROP/DELUDE/TARPIT oops, i've added DELUDE and TARPIT to the policy wishlist ;) how about: iptabes -N foo -P TARPIT -m hashlimit ... -m recent ... --policy-fallback DROP thanks a lot :)) regards Mart -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
