Mailinglist Archive: opensuse (3236 mails)
| < Previous | Next > |
RE: [SLE] Reject vs. deny was [SLE] Ipchains/Firewall
- From: tduggan@xxxxxxxxxxxxxxxx (Tim Duggan)
- Date: Tue, 4 Jan 2000 09:35:00 -0500
- Message-id: <71308BA96577D3119B1300A0C9AC08AD258E68@EXCHANGE1>
I understand it this way. A spoofed IP (say 1.1.1.1) sends a SYN request
to a port on your machine. Your machine responds to the real 1.1.1.1
sending a reject message (the real 1.1.1.1 has no clue why you send it a
reject but it doesn't care either). While this is going on the fake
1.1.1.1 can be flooding you with SYN requests which your machine will
process and reply with a reject potentially until all your bandwidth or
processor cycles are used up. Whereas deny will dump the packet and
forget about it, reducing the amount of used bandwidth/processor cycles.
I mostly use REJECT inside and DENY outside for this reason on my home
lan, even though I know it is unlikely to be attacked in such a way with
a temporary connection.
Overly paranoid? Maybe, but I'll be ready when cable comes to my neck of
the woods (I really mean woods) in another month or so. :-)
Tim
> -----Original Message-----
> From: François Pinard [SMTP:pinard@xxxxxxxxxxxxxxxx]
> Sent: Monday, January 03, 2000 6:55 PM
>
> Tim Duggan <tduggan@xxxxxxxxxxxxxxxx> writes:
>
> > [...] rejecting connections opens the machine to DoS attacks
> (particularly
> > one spoofing their IP) [...]
>
> How? :-) I'm perceiving anti-spoofing as rather orthogonal to REJECTs.
--
To unsubscribe send e-mail to suse-linux-e-unsubscribe@xxxxxxxx
For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
| < Previous | Next > |