[Fedora] Re: iptables: drop or reject?

Ashley M. Kirchner ashley at pcraft.com
Fri Oct 26 04:09:46 UTC 2007


Neil Cherry wrote:
> I'm betting you're responding with a reset or something. Maybe it
> would be a good idea to show us you're rules (you can make up
> the IP's but keep them consistent).
    That would not be consistent then.  I used to reset in the past, and 
traffic wasn't anything like it is now that I drop.  I'd sent a rest, I 
might get two or three more packets and then it would go silent.  Now 
that I'm dropping packets (and trust me when I say I'm dropping it, I've 
had others try and I'm sniffed it myself, they're being dropped), 
traffic seems to have gotten worse.  It's almost like, because I'm not 
sending a reset back, which would cause the sender to now have to read 
that packet and see that it's a reset, now they're just going into 
oblivion, so there's no more processing on their end, so why not keep 
sending?  At least, that's my thinking.  If I send a reset (or port/host 
unreachable), they have to process that before continuing...now they don't.

    I don't know...it's all a fine line I suppose.




More information about the users mailing list