Re: FW: Filtering multiple networks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Monday 31 May 2004 11:32, Markus Zeilinger wrote:
> - Thy is DROP bad here? As I see REJECT would send an error message
> back to the source, but this would not make any sense on packets coming
> on the WAN interface with private IP addresses, or am I wrong?

You are not wrong.  Personally I would DROP any bogons coming in on a WAN 
interface.  REJECT does not make sense in this case, if they are 
unallocated or hijacked blocks the replies will not make it anyway.  If 
they are RFC1918 addresses that you are using internally, the replies 
would be sent to your LAN which would not be desirable.

David


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux