[PATCH] add --reject-with tcp-synack to REJECT

Harald Welte laforge@gnumonks.org
Fri, 29 Mar 2002 17:28:20 +0100


On Fri, Mar 29, 2002 at 09:32:29AM +0100, Patrick Schaaf wrote:
> > This will leave incoming connections in the ESTABLISHED state on the
> > remote side, significantly slowing down Code Red or Nimda-style scans
> > of the entire IP space,
> 
> Yeah. And significantly slowing down Code Red requests through unsuspecting
> proxies, bringing down the proxies, potentially. IOW: antisocial if used
> on the Internet.
> 
> Having over 150 proxies serving several million narrowband internet users,
> I can tell you that I really hate that proposal. We handle it, heuristically,
> but it's awful. And don't tell me I should disinfect the clients. That sucks.
> 
> I feel this to be a dangerous option, and would protest inclusion into
> the base kernel (protest shortly, that is, and with no authority at all :-)

I totally agree with you.  I refuse to include this extension into the
iptables package - not even into the patch-o-matic 'broken' repository.

This is a plain 'quality of implementation issue'.  I don't want any code
officially distributed as part of the linux firewalling subsystem behave
in this antisocial way.

> best regards
>   Patrick

-- 
Live long and prosper
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ 
V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)