On 27.03.2012 19:21, Humberto Jucá wrote: > Hi, > >> iptables -I OUTPUT --protocol tcp --dport 80 -j REJECT > For TCP connections, try to do with "-j REJECT --reject-with tcp-reset". > Its faster then port unreachable! Makes no difference here. Takes 3 seconds, exactly the time to the next SYN packet. Oh well, that is true for the 2.6.32 kernel. But for the 3.2.0 kernel, it really does make a difference: with --reject-with icmp-port-unreachable it takes only 1 second and with --reject-with tcp-reset the reaction is instantaneous (i.e. 32ms) What exactly did change in the kernel and when? -- Mit freundlichen Grüßen / with kind regards Nils Rennebarth, Software Developer -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
