also sprach Russell Coker <russell@coker.com.au> [2004.10.30.1106 +0200]: > If you block with tcp-reset then not only will the person > connecting get a fast response, but someone who port scans you > won't know which ports don't have anything listening on them and > which ports are blocked by iptables. While it can be considered "kind" to let people know which ports are inaccessible, I always treat access to ports that I did not open for the public as an offence. Thus, I do not feel obliged to let the offender know that s/he is accessing an inaccessible port. As an added benefit, DROP obscures who is dropping. It could be the host or a firewall before it. Now that I think of it, however, a firewall would spoof the sending IP when rejecting with tcp-reset, right? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <madduck@debian.org> : :' : proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
Attachment:
signature.asc
Description: Digital signature