Mailinglist Archive: opensuse (3236 mails)
| < Previous | Next > |
[SLE] Reject vs. deny was [SLE] Ipchains/Firewall
- From: tduggan@xxxxxxxxxxxxxxxx (Tim Duggan)
- Date: Mon, 3 Jan 2000 17:10:27 -0500
- Message-id: <71308BA96577D3119B1300A0C9AC08AD258E52@EXCHANGE1>
I thought I'd spawn this question into a new thread so the original
query doesn't get lost.
O.K. now I have a question about reject vs deny. The way I understand
it, if a connection is rejected, the firewall has to reply to the remote
machine making the request, whereas deny will not send a reply and
simply discard the packet. Is that correct? If so, then rejecting
connections opens the machine to DoS attacks (particularly one spoofing
their IP) which makes deny look like the more attractive option.
Perhaps reject is better for machines inside the firewall and deny for
those on the outside?
Tim
> -----Original Message-----
> From: Rogier Maas [SMTP:icarus@xxxxxxxxxxxx]
> Sent: Monday, January 03, 2000 4:57 PM
>
> <snip>
>
> btw: REJECTing is mostly better than DENYing, because now ppl have to
> wait a while before their app gives up, because you're stealthing the
> port in stead of closing it.
>
> REJECT instead of DENY:
>
> ipchains -I input -l -d 192.168.1.4 53 -p tcp -j REJECT
> <snip>
--
To unsubscribe send e-mail to suse-linux-e-unsubscribe@xxxxxxxx
For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
| < Previous | Next > |