PHWinfo - Afficher un message

11/09/2007, 19h20

David Brodbeck wrote:
>
> On Sep 11, 2007, at 12:11 AM, Christopher Zimmermann wrote:
>
>> As long as I use iptables I was not able to use policies of reject. I
>> even remember the target 'REJECT' being a selectable kernel option.
>> Reject requires some ICMP action whereas DROP doesn't.
>
> But be aware that DROP can cause unexpected side-effects in some cases,
> because it's not what remote hosts expect.
>
> I recall one instance where a mail server I'd configured couldn't send
> mail to one particular system. Both systems could freely exchange mail
> with other places.
>
> The problem turned out to be that I was dropping packets sent to the
> ident port. When my system tried to initiate an SMTP exchange, the
> other system would try to do an ident callback against it. Since I was
> dropping packets instead of rejecting them, the whole transaction would
> come to a halt while the other system waited for the ident connection to
> time out. By the time that happened, the SMTP daemon on the other
> system had timed out, as well, so no mail ever got delivered.
>
> Once I started rejecting packets to ident instead, things worked, since
> the ident callback would fail immediately. (Actually, since I didn't
> have the REJECT target, I just opened the ident port and then made sure
> identd wasn't running.)
<snip>

That's why when I use 'DROP' as default policy on the INPUT chain I also
add:

... --dport 113 -j REJECT --reject-with tcp-reset

--
regards,
Georgi Alexandrov

key server - pgp.mit.edu :: key id - 0x37B4B3EE
Key fingerprint = E429 BF93 FA67 44E9 B7D4 F89E F990 01C1 37B4 B3EE

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG5swT+ZABwTe0s+4RAvHfAJ0TjeFOp/7s0kGf54PcOXPzD+MOyACdES7r
iZ+Pjd10o0kH6aLvfecsafM=
=GdTz
-----END PGP SIGNATURE-----

11/09/2007, 19h20	#4
Georgi Alexandrov Messages: n/a Hébergeur:	Re: Iptables & Default policy of Reject David Brodbeck wrote: > > On Sep 11, 2007, at 12:11 AM, Christopher Zimmermann wrote: > >> As long as I use iptables I was not able to use policies of reject. I >> even remember the target 'REJECT' being a selectable kernel option. >> Reject requires some ICMP action whereas DROP doesn't. > > But be aware that DROP can cause unexpected side-effects in some cases, > because it's not what remote hosts expect. > > I recall one instance where a mail server I'd configured couldn't send > mail to one particular system. Both systems could freely exchange mail > with other places. > > The problem turned out to be that I was dropping packets sent to the > ident port. When my system tried to initiate an SMTP exchange, the > other system would try to do an ident callback against it. Since I was > dropping packets instead of rejecting them, the whole transaction would > come to a halt while the other system waited for the ident connection to > time out. By the time that happened, the SMTP daemon on the other > system had timed out, as well, so no mail ever got delivered. > > Once I started rejecting packets to ident instead, things worked, since > the ident callback would fail immediately. (Actually, since I didn't > have the REJECT target, I just opened the ident port and then made sure > identd wasn't running.) <snip> That's why when I use 'DROP' as default policy on the INPUT chain I also add: ... --dport 113 -j REJECT --reject-with tcp-reset -- regards, Georgi Alexandrov key server - pgp.mit.edu :: key id - 0x37B4B3EE Key fingerprint = E429 BF93 FA67 44E9 B7D4 F89E F990 01C1 37B4 B3EE -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG5swT+ZABwTe0s+4RAvHfAJ0TjeFOp/7s0kGf54PcOXPzD+MOyACdES7r iZ+Pjd10o0kH6aLvfecsafM= =GdTz -----END PGP SIGNATURE-----