[LARTC] REJECTing: How and When to use What type of reply.
For this thread I'd like to FOCUS on rejecting bad traffic and not on
dropping. The first case
I'd like to discuss is where all but a handful of public web sites are
allowed for ought going
connections. A typical NAT setup is used where all the users sit behind
a firewall, some have
full access to the Internet but most have restricted access. I'd also
like to bring in other
minds into the discussion, and not have it be a linux only problem.
Here is the big deal. A web page like www.nasdaq.com is considered
valid, so traffic to it's IP
18.104.22.168 is ACCEPTed. However this site pulles content from an
unknown group of other
sites, unfortunately not ACCEPTed. In the mean time untill all the
sites can be added it's not
proper to simply DROP these SYN packets. This is where this concerns
EVERYONE, the client
software needs to get the right REJECT from the firewall. Now How and
When to use What type of
reply becomes a big deal.
I'd like to open this discussion up to every one who has 2 cents and/or
another good use of REJECT
vs DROP. For my setup I have winblows computers running both IE and
Netscape behind a generic
firewall *Blush*. The two types of REJECTs I have tested are "TCP RST"
and ICMP (Port
Unreachable), are there any others?
This thread may be moved to another list where appropriate, but was
started on firstname.lastname@example.org.