[Fedora] Re: iptables: drop or reject?

Rahul Sundaram sundaram at fedoraproject.org
Thu Oct 25 18:28:17 UTC 2007


Ashley M. Kirchner wrote:
> Manuel Arostegui Ramirez wrote:
>> In this case, I would choose to drop packets since they're not going 
>> to stop, it's better to do not increase the packets on your interface.
>>   
>    That's kinda what I thought too, however as far as the sending 
> machine is concerned, because it didn't get anything back, it could 
> potentially see it as a successful delivery and thus continue to deliver 
> more and more crap.  On the other hand, if it does get some kind of 
> reset...
> 
>    I don't know.  I certainly don't want to increase my traffic, but I'd 
> also don't want to give them any reason to believe that they reached me 
> and then increase the amount of crap they're sending.

By rejecting packets, you would be explicitly confirming that you are a 
active connection instead of being a blackhole which like any spam you 
confirm can increase traffic. As you can see, this can play out both ways.

Rahul




More information about the users mailing list