David Brodbeck wrote: > > On Sep 11, 2007, at 12:11 AM, Christopher Zimmermann wrote: > >> As long as I use iptables I was not able to use policies of reject. I >> even remember the target 'REJECT' being a selectable kernel option. >> Reject requires some ICMP action whereas DROP doesn't. > > But be aware that DROP can cause unexpected side-effects in some cases, > because it's not what remote hosts expect. > > I recall one instance where a mail server I'd configured couldn't send > mail to one particular system. Both systems could freely exchange mail > with other places. > > The problem turned out to be that I was dropping packets sent to the > ident port. When my system tried to initiate an SMTP exchange, the > other system would try to do an ident callback against it. Since I was > dropping packets instead of rejecting them, the whole transaction would > come to a halt while the other system waited for the ident connection to > time out. By the time that happened, the SMTP daemon on the other > system had timed out, as well, so no mail ever got delivered. > > Once I started rejecting packets to ident instead, things worked, since > the ident callback would fail immediately. (Actually, since I didn't > have the REJECT target, I just opened the ident port and then made sure > identd wasn't running.) <snip> That's why when I use 'DROP' as default policy on the INPUT chain I also add: ... --dport 113 -j REJECT --reject-with tcp-reset -- regards, Georgi Alexandrov key server - pgp.mit.edu :: key id - 0x37B4B3EE Key fingerprint = E429 BF93 FA67 44E9 B7D4 F89E F990 01C1 37B4 B3EE
Attachment:
signature.asc
Description: OpenPGP digital signature