iptables: drop or reject?

Ashley M. Kirchner ashley at pcraft.com
Thu Oct 25 17:54:28 UTC 2007


    To drop or not to drop, that is the question.  If there's a server 
out there sending spam e-mail, and I use iptables to block it, is it 
best to simply drop the packet, or should I do a '--reject-with 
icmp-host-unreachable' (or 'icmp-port-unreachable') or just a 'tcp-reset'?

    Basically, if I just drop the packet, the server in question would 
simply continue to send stuff, wouldn't it?  As far as it knows, its 
spam reached the destination, whereas if I send something back, it might 
actually acknowledge and stop?  Yes?  No?

-- 
W | It's not a bug - it's an undocumented feature.
  +--------------------------------------------------------------------
  Ashley M. Kirchner <mailto:ashley at pcraft.com>   .   303.442.6410 x130
  IT Director / SysAdmin / Websmith             .     800.441.3873 x130
  Photo Craft Imaging                       .     3550 Arapahoe Ave. #6
  http://www.pcraft.com ..... .  .    .       Boulder, CO 80303, U.S.A. 




More information about the fedora-list mailing list