RE: [SLE] Reject vs. deny was [SLE] Ipchains/Firewall
![](https://seccdn.libravatar.org/avatar/3008c8fb7483d8464b5307a03546539e.jpg?s=120&d=mm&r=g)
I understand it this way. A spoofed IP (say 1.1.1.1) sends a SYN request to a port on your machine. Your machine responds to the real 1.1.1.1 sending a reject message (the real 1.1.1.1 has no clue why you send it a reject but it doesn't care either). While this is going on the fake 1.1.1.1 can be flooding you with SYN requests which your machine will process and reply with a reject potentially until all your bandwidth or processor cycles are used up. Whereas deny will dump the packet and forget about it, reducing the amount of used bandwidth/processor cycles. I mostly use REJECT inside and DENY outside for this reason on my home lan, even though I know it is unlikely to be attacked in such a way with a temporary connection. Overly paranoid? Maybe, but I'll be ready when cable comes to my neck of the woods (I really mean woods) in another month or so. :-) Tim
-----Original Message----- From: François Pinard [SMTP:pinard@iro.umontreal.ca] Sent: Monday, January 03, 2000 6:55 PM
Tim Duggan
writes: [...] rejecting connections opens the machine to DoS attacks (particularly one spoofing their IP) [...]
How? :-) I'm perceiving anti-spoofing as rather orthogonal to REJECTs.
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
participants (1)
-
tduggan@dekaresearch.com