Re: is iptables slow?
On Thu, Nov 15, 2001 at 11:31:15AM +0100, Boris Bierwald wrote:
> I would assume that your DROP default policy causes the delay. At least
> most smtp- and ftp-servers will send an ident query back to your host
> if you try to connect to them. If you simply ignore the queries, those
> servers will wait until a timeout occurs. Try to use the --state
> RELATED match, or change your default policy to REJECT if you like to
> have ident queries blocked.
>
A simple alternative is to REJECT just identd. The default policy of
drop annoys scanners more than a reject. Of course this doesn't
make portscanning more difficult, just a little bit slower.
- Einar Karttunen
Reply to: