Ref: http://marc.info/?l=netfilter&m=128043201731932&w=2 On Thursday 2010-07-29 21:33, Lars Nooden wrote: > On 7/29/10 10:09 PM, Elmar Stellnberger wrote: >> iptables -A mychain -m owner --gid-owner blockedusergroup -j DROP > > For starters, consider using the REJECT target instead of DROP if for no other > reason than that it will make your engineering easier: > > http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject That page - especially the summary - is leaving out one essential feature Gáspar already mentioned it in another thread; the CHAOS target from Xtables-addons. It is hard to press its behavior into the three rows "application connects to non-existent service" / "naïve network scanning" / "specialist program", but the behavior can be summed up into: 1. Connect: With an x% (tunable) chance, failure is reported promptly to the user/scanner. (This is to elicit point 2.) 2. Scanning many ports will be slow/expensive. (nmap) 3. Syn scans produce nonsensical results. (nmap) > http://www.chrisbrenton.org/2009/07/why-firewall-reject-rules-are-better-than-firewall-drop-rules/ -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
