In article <[EMAIL PROTECTED]>, Daniel F. Chief Security Engineer - <[EMAIL PROTECTED]> wrote: >Im not trying to start a _Holy_war_ between DROP and REJECT fans, Just >wondering what the consenses is here. What should a good netezen do these >days.
One other thing that I haven't seen in reply to this is that Linux 2.2 had a TBF-like filter on kernel-generated packets buried in /proc/sys/net/core, which limited the number of ICMP errors, broadcast ARP requests, etc. that the kernel might perpetrate on an unsuspecting LAN. This is really important if your approach to networking is to put 4000+ hosts on one big mixed 10/100/1000 ethernet segment (believe it or not, I've seen places where this would be considered "medium" size...). Netfilter has its own ways to limit these messages, but I'm not sure how they interact (e.g. is a netfilter REJECT counted in the kernel's message_burst variable, or not? Will this change next release?). My own opinion on the topic is probably nothing you haven't seen before: If you must use REJECT, limit the output rate. What the rate should be depends on your uplink speed...I'd start with 1% of min(outgoing, incoming) link speeds, and a burst of 1% of that. If you're into using non-core netfilter stuff, use the recent match module instead of limit--that way, each incoming IP gets their own little TBF, and you can keep the limits much smaller (e.g. permit a burst of 10-100 REJECTs per hour per IP, which is just enough for notifying users that their configuration is borked but not enough for a fast portscan). Always DROP instead of REJECTing when the packet in question has a nonsensical source address, e.g. the source address is your private LAN put the packet arrives on the public side of a gateway, or the address is on the "reserved" nets 10.0.0.0/8, 192.168.0.0/16, and that other one I can never remember. If you enable rp_filter such packets should never be seen by your firewall. I personally prefer DROP on laptops at work and my home systems at home. If you're trying to connect to a port that I don't think you should connect to, I'm not going to lift a finger to help you. :-P -- Zygo Blaxell (Laptop) <[EMAIL PROTECTED]> GPG = D13D 6651 F446 9787 600B AD1E CCF3 6F93 2823 44AD
