Firewall Wizards mailing list archives
Re: Performance question Drop or Reject
From: "Paul D. Robertson" <paul () compuwar net>
Date: Sat, 16 Jan 2010 11:10:12 -0500 (EST)
On Fri, 15 Jan 2010, Paul Melson wrote:
The difference between DROP and REJECT in iptables is that DROP simply discards the packet while REJECT discards the packet and sends an ICMP host-unreachable response to the source IP. You can also configure TCP REJECT rules to respond with a TCP RST packet. There are several performance and security considerations that should be weighed when setting up your rules and deciding whether to DROP or REJECT.
More properly, thaqt should be be an ICMP *destination* unreachable. For TCP and UDP I'd expect to see code 3 (port unreachable) as the destination unreachable code (unless the source address is a broadcast or multicast address) although filters should give back code 9, 10 or 13. Code 1 is host unreachable, and is generally only sent by routers. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." Moderator: Firewall-Wizards mailing list Art: http://PaulDRobertson.imagekind.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Performance question Drop or Reject Jason Lewis (Jan 14)
- Re: Performance question Drop or Reject K K (Jan 16)
- Re: Performance question Drop or Reject Paul Melson (Jan 16)
- Re: Performance question Drop or Reject Jason Lewis (Jan 16)
- Re: Performance question Drop or Reject Paul D. Robertson (Jan 16)