Re: Which ICMP reject works best
- From: none <none@xxxxxxxxxxxxx>
- Date: Tue, 20 Feb 2007 18:05:19 -0800
On Tue, 20 Feb 2007 07:40:54 -0800, Pascal Hambourg wrote:
Hello,
none a écrit :
Given the various iptables icmp reject types, which is suppose to make
the calling host shut up and go away the fastest ?
Valid reject types:
icmp-net-unreachable ICMP network unreachable
icmp-host-unreachable ICMP host unreachable
icmp-proto-unreachable ICMP protocol unreachable
icmp-port-unreachable ICMP port unreachable (default)
icmp-net-prohibited ICMP network prohibited
icmp-host-prohibited ICMP host prohibited
tcp-reset TCP RST packet
icmp-admin-prohibited ICMP administratively prohibited (*)
- TCP RST for TCP packets.
- ICMP Port Unreachable for UDP packets and other supported
port-oriented protocols
- ICMP Protocol Unreachable for unsupported or non protocol-oriented
protocols
- ICMP Communication Administratively Prohibited is nice but I have
found that not all hosts understand it, which may reduce its efficiency.
Note : ICMP Network Prohibited and ICMP Host Prohibited are deprecated,
ICMP Communication Administratively Prohibited must be used instead.
(Source : RFC 1812)
My simple testing today suggests using any kind of reject is a waste of
bandwidth for TCP, they will send at least 3 SYNs whether or not you
respond with a rejection so DROP becomes more bandwidth efficient.
thx
.
- References:
- Which ICMP reject works best
- From: none
- Re: Which ICMP reject works best
- From: Pascal Hambourg
- Which ICMP reject works best
- Prev by Date: Re: iproute2 problems.
- Next by Date: Re: rkhunter Help!!!!
- Previous by thread: Re: Which ICMP reject works best
- Next by thread: Socket over RS232 based network
- Index(es):
Relevant Pages
|
