Re: [SLE] Reject vs. deny was [SLE] Ipchains/Firewall
Tim Duggan
[...] rejecting connections opens the machine to DoS attacks (particularly one spoofing their IP) [...]
How? :-) I'm perceiving anti-spoofing as rather orthogonal to REJECTs.
Perhaps reject is better for machines inside the firewall and deny for those on the outside?
As a general rule, yes, your machines are more "invisible" that way. But you may decide to REJECT some requests, if it makes your system goes faster (for telnet, login, pop3, smtp, and probably many others). Of course, you then have to increase your level of confidence about how these machines, which reveal themselves, are protected. -- François Pinard http://www.iro.umontreal.ca/~pinard -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
participants (1)
-
pinard@iro.umontreal.ca