On Tuesday 02 April 2002 19:15, [EMAIL PROTECTED] wrote: > You can't tell me that many uses of this patch are antisocial. In > fact, in its intended use, it would've substantially reduced the > amount of antisocial packets leaving my network. This is a tool > with interesting uses that the netfilter team can make available to > a much wider audience than I, which is why it was offered.
I have to agree with you on that --reject-with tcp-synack do make some sense when applied correctly, mainly to act as a lightweight sink for uncontrolled TCP robots running in your own network, but at the same time it is a very dangerous option and is why caution needs to be applied if distributed widely. The danger of including it in patch-o-matic is that many novice sysadmins might be anti-social without knowing (or in some cases intentionally), applying this kind of rules carelessly on uncontrolled environments such as incoming traffic on their internet connection, thinking that it does good things, when in fact all it accomplishes in such case is to worsen the problem for others. My approach to this kind of problems would be a more offensive, completely blocking such stations from using the relevant network services, and in case of local users giving a message to the user on the fact prompting them to correct the issue before allowing them to use the affected network services again. Regards Henrik