[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dropping vs rejecting for non exixtent services



also sprach Russell Coker <russell@coker.com.au> [2004.10.30.1106 +0200]:
> If you block with tcp-reset then not only will the person
> connecting get a fast response, but someone who port scans you
> won't know which ports don't have anything listening on them and
> which ports are blocked by iptables.

While it can be considered "kind" to let people know which ports are
inaccessible, I always treat access to ports that I did not open for
the public as an offence. Thus, I do not feel obliged to let the
offender know that s/he is accessing an inaccessible port.

As an added benefit, DROP obscures who is dropping. It could be the
host or a firewall before it. Now that I think of it, however,
a firewall would spoof the sending IP when rejecting with tcp-reset,
right?

-- 
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer, admin, user, and author
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!

Attachment: signature.asc
Description: Digital signature


Reply to: