ever block *outgoing* packets on your firewall?
nickd at metastasis.org.uk
Tue Feb 8 02:08:00 CET 2005
On Mon, Feb 07, 2005 at 10:28:46AM -0800, seberino at spawar.navy.mil wrote:
> > > i run a default DROP policy on the OUTPUT chain of my firewalls
> > > and only allow out necessary traffic (DNS, HTTP/FTP to update
> > > servers, NTP, etc). but i'm pretty odd when it comes to these
> > > things--i don't know how necessary it is. the one nice
> > > side-effect is that is keeps me from doing something stupid when
> > > i'm ssh-ed into a firewall.
> > Out of interest why "DROP" rather than "REJECT"? With reject users,
> > hosts or programs on the inside tend to fail straight away rather
> > than taking a while to time out annoyingly.
> please remind me of difference between REJECT and DROP.
> Perhaps I should use REJECT then!
>From the "man iptables" pages ;)
DROP means to drop the packet on the floor.
This is used to send back an error packet in response to the matched
Really that's it, a DROP rule with just eat the packet and not do
anything else or tell anyone or anything, hence the remote end of the
connection will presume the packet or its reply got lost along the way
and try again. A REJECT rule will send something back saying "I don't
talk that protocol".
Where are we going and what's with the hand basket?
More information about the netfilter