On Wednesday 26 February 2020 23:25:53 Lee wrote: > On 2/26/20, Gene Heskett <ghesk...@shentel.net> wrote: > > On Wednesday 26 February 2020 16:00:35 to...@tuxteam.de wrote: > >> On Wed, Feb 26, 2020 at 09:54:09PM +0300, Reco wrote: > >> > Hi. > >> > > >> > On Wed, Feb 26, 2020 at 01:50:40PM -0500, Lee wrote: > >> > >> [...] > >> > >> > > Have you considered REJECT instead of DROP? > >> > > >> > A neat idea for your LAN. A bad idea in this case. > >> > >> Exactly. > >> > >> > You *want* that other side to retry, wasting their time instead > >> > of spamming their target. In fact, one should consider using > >> > TARPIT instead of a DROP here. > > > > My copy of iptables-extensions makes zero mention of TARPIT. > > > >> Moreover: you don't want the other side to even know that you're > >> there. The less info you give away the better. > > > > My reasoning too. > > You're advertising your web server in your sig. The "other side" > ALREADY KNOWS you have a web server there. > This is true...
> If you're going to advertise your presence on the web it seems > pointless to pretend that you're not there. And the bots you'd be > REJECTing are the ones that have ignored your robots.txt file, so why > not just tell them to go away instead of putting up with their > retries? What if they ignore that RST too? > > I'd much druther be a black hole that doesn't even have > > any Hawking Radiation. But I've no info that such a beast exists > > anyplace in the universe. There is info in the fact of there not > > being any response. > > > >> In a LAN, however, REJECT is far better: you want the other side > >> to know that you're there, but not talking. > > > > I'd call this a WAN since its intended to go out on the internet. > > And I am the only user inside this LAN. > > > > In that event, and given that a /24 rule caught them, how many out > > of that /24 get the reject message? > > However many hit the REJECT rule. The iptables rule is going to send > a RST to anything in that /24 tries to access your server. The other > hosts in that /24 that aren't trying to access your server won't get > anything from you. Good, you guys are beginning to make sense. Done. > Regards, > Lee Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) If we desire respect for the law, we must first make the law respectable. - Louis D. Brandeis Genes Web page <http://geneslinuxbox.net:6309/gene>
