iptables firewall default to drop instead of reject?
Jurgen Kramer
gtm.kramer at inter.nl.net
Fri Jan 20 14:10:32 UTC 2006
I noticed that with FC5t2 the iptables firewall still has the -j REJECT
--reject-with icmp-host-prohibited rule instead of a more secure -j
DROP.
What is the reason behind this?
Maybe there should be an 'advanced' option in the system-config-
securitylevel which let you choose to do a drop instead of sending icmp
host prohibited messages. I think this is a sensible option for servers
connected to the Net.
You can of course alter the file /etc/sysconfig/iptables by hand but
this can possibly be overwritten by system updates.
Jurgen
More information about the test
mailing list