** Reply to message from David Durst <ddurst@larubber.com> on Sat, 30 Nov 2002 16:42:49 -0800 (PST) > > ** Reply to message from Michael Schwendt <rh0210ms@arcor.de> on Sat, 30 > > Nov 2002 14:38:06 +0100 > > > > > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> On Sat, 30 Nov 2002 14:32:17 +0100, Michael Schwendt wrote: > >> > >> > > The reject option as stated in the Redhat 8.0 Security Guide does > >> not work ! > >> > > > >> > > It gives Bad policy name. > >> > > > >> > > Has anyone a workaround for this ? > >> > > >> > "iptables -P INPUT DENY" because REJECT is a target extension. > >> > >> Sorry, "iptables -P INPUT DROP" of course. DENY was ipchains. > > > > OOps. I made the same booboo. DROP it is. > > The exact command line for this is: > > iptables -P INPUT -j DROP > > But then again you may want to think twice about using a DEFAULT DROP > firewall, DEFAULT DROP uses alot of resources for packets you might just be > able to ignore. > > I you would like to understand more drop a line to me. This is nonsense. A DROP policy means that only packets explicitly allowed get in. An ACCEPT policy means everything gets in unless explicitly dropped or rejected. It doesn't take a brain surgeon to realize which is the more secure. As for the "taking more resources", the default policy only determines how you set up your rules, it doesn't have any inherent affect on resource usage. You are likely referring to the difference between the REJECT and DROP targets. Indeed, REJECT takes more resources since the firewall box has to send a reply back to the sender for every rejected packet., whereas DROP does just that - drops the packet on the floor without a return reply packet. In a DDoS situation, it is clear that a DROP policy will lead to a lighter load on the box than would using a REJECT target. jb -- Psyche-list mailing list Psyche-list@redhat.com https://listman.redhat.com/mailman/listinfo/psyche-list
