[PATCH] add --reject-with tcp-synack to REJECT
Harald Welte
laforge@gnumonks.org
Fri, 29 Mar 2002 17:28:20 +0100
On Fri, Mar 29, 2002 at 09:32:29AM +0100, Patrick Schaaf wrote:
> > This will leave incoming connections in the ESTABLISHED state on the
> > remote side, significantly slowing down Code Red or Nimda-style scans
> > of the entire IP space,
>
> Yeah. And significantly slowing down Code Red requests through unsuspecting
> proxies, bringing down the proxies, potentially. IOW: antisocial if used
> on the Internet.
>
> Having over 150 proxies serving several million narrowband internet users,
> I can tell you that I really hate that proposal. We handle it, heuristically,
> but it's awful. And don't tell me I should disinfect the clients. That sucks.
>
> I feel this to be a dangerous option, and would protest inclusion into
> the base kernel (protest shortly, that is, and with no authority at all :-)
I totally agree with you. I refuse to include this extension into the
iptables package - not even into the patch-o-matic 'broken' repository.
This is a plain 'quality of implementation issue'. I don't want any code
officially distributed as part of the linux firewalling subsystem behave
in this antisocial way.
> best regards
> Patrick
--
Live long and prosper
- Harald Welte / laforge@gnumonks.org http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+
V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)