Re: [LARTC] REJECTing: How and When to use What type of reply.
Tarragon Allen, 2003-09-20 01:20:19 +0200 :
> The only disctinction between the two that I make is that a REJECT
> is polite, and a DROP is rude. Also, a REJECT says to the other end
> "yes, there is a host there" whereas a DROP say "I got nothing,
> looks like there's nothing there".
I agree with that.
> For home connections I tend to just DROP everything that I don't
> want - this makes it slower for people to scan, as they aren't
> getting a valid response from every non-open port on my system.
I have a slightly more complex rule: I try to maintain a minimum
level of politeness, while limiting the amount of outgoing bandwidth I
use (I resent the A in ADSL). So if someone accidentally tries to
connect to me, he gets a REJECT, but if I get scanned, or attacked, at
most one REJECT packet will be sent out every second, allowing for the
iptables burst mechanism which I'm not totally clear with yet.
Voilà! Polite with good guys, ignoring the baddies, and not using
much outgoing bandwidth. I agree this is an approximation of what
really happens (good guys can be ignored too if they happen to try to
connect during a scan), but it works for me.
Sauvez les castors, plantez des arbres.