iptables question

Aaron Toponce aaron.toponce at gmail.com
Wed Nov 5 04:28:28 MST 2008


On Mon, Nov 03, 2008 at 04:22:19PM -0700, Corey Edwards wrote:
> I believe Nick is right. I would just add that on the LAN side of
> things, I would REJECT rather than DROP. That'll save your host the
> hassle of waiting for a timeout.

I too would use REJECT over DROP. If you pay close attention to standard
TCP implementation, REJECT behaves more like TCP than DROP does. While
DROP may seem more secure on the outset, the fact remains that REJECT is
the preferrence for security.

-- 
                       _
Aaron Toponce         ( )  ASCII Ribbon Campaign
www.aarontoponce.org   X   www.asciiribbon.org
                      / \
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: Digital signature
Url : http://plug.org/pipermail/plug/attachments/20081105/1d070e06/attachment.bin 


More information about the PLUG mailing list