Re: Iptables & Default policy of Reject
On Sep 11, 2007, at 12:11 AM, Christopher Zimmermann wrote:
As long as I use iptables I was not able to use policies of reject. I
even remember the target 'REJECT' being a selectable kernel option.
Reject requires some ICMP action whereas DROP doesn't.
But be aware that DROP can cause unexpected side-effects in some
cases, because it's not what remote hosts expect.
I recall one instance where a mail server I'd configured couldn't
send mail to one particular system. Both systems could freely
exchange mail with other places.
The problem turned out to be that I was dropping packets sent to the
ident port. When my system tried to initiate an SMTP exchange, the
other system would try to do an ident callback against it. Since I
was dropping packets instead of rejecting them, the whole transaction
would come to a halt while the other system waited for the ident
connection to time out. By the time that happened, the SMTP daemon
on the other system had timed out, as well, so no mail ever got
Once I started rejecting packets to ident instead, things worked,
since the ident callback would fail immediately. (Actually, since I
didn't have the REJECT target, I just opened the ident port and then
made sure identd wasn't running.)