On Sep 11, 2007, at 12:11 AM, Christopher Zimmermann wrote:
As long as I use iptables I was not able to use policies of reject. I even remember the target 'REJECT' being a selectable kernel option. Reject requires some ICMP action whereas DROP doesn't.
But be aware that DROP can cause unexpected side-effects in some cases, because it's not what remote hosts expect.
I recall one instance where a mail server I'd configured couldn't send mail to one particular system. Both systems could freely exchange mail with other places.
The problem turned out to be that I was dropping packets sent to the ident port. When my system tried to initiate an SMTP exchange, the other system would try to do an ident callback against it. Since I was dropping packets instead of rejecting them, the whole transaction would come to a halt while the other system waited for the ident connection to time out. By the time that happened, the SMTP daemon on the other system had timed out, as well, so no mail ever got delivered.
Once I started rejecting packets to ident instead, things worked, since the ident callback would fail immediately. (Actually, since I didn't have the REJECT target, I just opened the ident port and then made sure identd wasn't running.)