[Fedora] Re: iptables: drop or reject?
Andrew Parker
andrewparker at bigfoot.com
Thu Oct 25 18:44:44 UTC 2007
On 10/25/07, Ashley M. Kirchner <ashley at pcraft.com> wrote:
> Manuel Arostegui Ramirez wrote:
> > In this case, I would choose to drop packets since they're not going to stop,
> > it's better to do not increase the packets on your interface.
> >
> That's kinda what I thought too, however as far as the sending
> machine is concerned, because it didn't get anything back, it could
> potentially see it as a successful delivery and thus continue to deliver
> more and more crap. On the other hand, if it does get some kind of reset...
If you drop all packets then the remote host thinks that either your
host is down or that the IP address is not allocated to anyone. This
takes a short amount of time to establish (maybe a few minutes,
depending on how the soamming is configured)
If you reject the packets, the remote hosts knows that your hosts
exists and is up, but won't know why it can't connect. The remote
host knows this very quickly.
If its spam, drop the packets. You will have the knowledge that at
least for a short period of time that you are tying up resources on
the spam box rather than the other way around.
More information about the users
mailing list