On Thu, 06 Dec 2001 13:51:33 MST, "Slighter, Tim" <tslighterat_private> said: > you really should try and specify that the rule "drops" instead of reject so > that the potential intruder is not provided with any information about their > attempted connection. On the other hand, you have to contrast "potential intruder" with "normal operations". The intruders are (by and large) few and far between compared to the "normal operations" for some things. I don't even want to *think* about how many inbound packets our Listserv gets per day on port 113 from Sendmails that are configured to AUTH-query their inbound connections. If you *reject*, you send an ICMP Port Unreachable, and the other end gives up immediately. If you drop silently, they get to retransmit their SYN packet again a few times first. If it's a packet that a *lot* of things do (like AUTH - there's a large number of Sendmail/Tcp-Wrapper/etc out there that have been set up to do a port 113 lookup back by default), you may want to reject just so they know they can give up and continue on whatever regularly scheduled service was in progress. -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
This archive was generated by hypermail 2b30 : Sat Dec 08 2001 - 22:38:14 PST