* Raymond Leach wrote on Tue, Nov 12, 2002 at 13:16 +0200:
On Tue, 2002-11-12 at 12:59, Steffen Dettmer wrote:
Otherwise, the client would get an RST from a destination it never tried to contact and would discard the packet.
OK, but then do I still need to forward the smtp ACK RST packets that are generated, or should I just change the rule to DROP instead of REJECT?
For normal cases (for instance, ports on hosts with visible addresses, such as MX or web servers) I would use REJECT. I think this is the correct way, since I guess the most users are not attackers and should not be punished by not sending correct responses :) OK, a portscan may become somewhat faster, but let them scan the firewall :) So I would allow the RST packets simply, it shouldn't be a risk, it's outgoing direction and tells a port is unreachable (with DROP, the attacker can guess that the port is unreachable if she get no response at all). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.