Which ICMP reject works best
in [Linux Networking]
|
From: none on 19 Feb 2007 20:29 Given the various iptables icmp reject types, which is suppose to make the calling host shut up and go away the fastest ? It looks like it may be just doing a DROP and not wasting replying may be the answer because most seem to ignore the reject messages and syn away... Any experts with insight to this ? Valid reject types: icmp-net-unreachable ICMP network unreachable net-unreach alias icmp-host-unreachable ICMP host unreachable host-unreach alias icmp-proto-unreachable ICMP protocol unreachable proto-unreach alias icmp-port-unreachable ICMP port unreachable (default) port-unreach alias icmp-net-prohibited ICMP network prohibited net-prohib alias icmp-host-prohibited ICMP host prohibited host-prohib alias tcp-reset TCP RST packet tcp-rst alias icmp-admin-prohibited ICMP administratively prohibited (*) admin-prohib alias
From: Andrzej Adam Filip on 20 Feb 2007 01:32 none <none(a)none1.invalid> writes: > Given the various iptables icmp reject types, which is suppose to make > the calling host shut up and go away the fastest ? > > It looks like it may be just doing a DROP and not wasting replying may be > the answer because most seem to ignore the reject messages and syn away... > > Any experts with insight to this ? > > Valid reject types: > icmp-net-unreachable ICMP network unreachable > net-unreach alias > icmp-host-unreachable ICMP host unreachable > host-unreach alias > icmp-proto-unreachable ICMP protocol unreachable > proto-unreach alias > icmp-port-unreachable ICMP port unreachable (default) > port-unreach alias > icmp-net-prohibited ICMP network prohibited > net-prohib alias > icmp-host-prohibited ICMP host prohibited > host-prohib alias > tcp-reset TCP RST packet > tcp-rst alias > icmp-admin-prohibited ICMP administratively prohibited (*) > admin-prohib alias Have you considered using tcp-reset? -- [pl>en: Andrew] Andrzej Adam Filip : anfi(a)priv.onet.pl : anfi(a)xl.wp.pl Home site: http://anfi.homeunix.net/
From: Pascal Hambourg on 20 Feb 2007 10:40 Hello, none a �crit : > Given the various iptables icmp reject types, which is suppose to make > the calling host shut up and go away the fastest ? > > Valid reject types: > icmp-net-unreachable ICMP network unreachable > icmp-host-unreachable ICMP host unreachable > icmp-proto-unreachable ICMP protocol unreachable > icmp-port-unreachable ICMP port unreachable (default) > icmp-net-prohibited ICMP network prohibited > icmp-host-prohibited ICMP host prohibited > tcp-reset TCP RST packet > icmp-admin-prohibited ICMP administratively prohibited (*) - TCP RST for TCP packets. - ICMP Port Unreachable for UDP packets and other supported port-oriented protocols - ICMP Protocol Unreachable for unsupported or non protocol-oriented protocols - ICMP Communication Administratively Prohibited is nice but I have found that not all hosts understand it, which may reduce its efficiency. Note : ICMP Network Prohibited and ICMP Host Prohibited are deprecated, ICMP Communication Administratively Prohibited must be used instead. (Source : RFC 1812)
From: none on 20 Feb 2007 21:05 On Tue, 20 Feb 2007 07:40:54 -0800, Pascal Hambourg wrote: > Hello, > > none a �crit : >> Given the various iptables icmp reject types, which is suppose to make >> the calling host shut up and go away the fastest ? >> >> Valid reject types: >> icmp-net-unreachable ICMP network unreachable >> icmp-host-unreachable ICMP host unreachable >> icmp-proto-unreachable ICMP protocol unreachable >> icmp-port-unreachable ICMP port unreachable (default) >> icmp-net-prohibited ICMP network prohibited >> icmp-host-prohibited ICMP host prohibited >> tcp-reset TCP RST packet >> icmp-admin-prohibited ICMP administratively prohibited (*) > > - TCP RST for TCP packets. > - ICMP Port Unreachable for UDP packets and other supported > port-oriented protocols > - ICMP Protocol Unreachable for unsupported or non protocol-oriented > protocols > - ICMP Communication Administratively Prohibited is nice but I have > found that not all hosts understand it, which may reduce its efficiency. > > Note : ICMP Network Prohibited and ICMP Host Prohibited are deprecated, > ICMP Communication Administratively Prohibited must be used instead. > > (Source : RFC 1812) My simple testing today suggests using any kind of reject is a waste of bandwidth for TCP, they will send at least 3 SYNs whether or not you respond with a rejection so DROP becomes more bandwidth efficient. thx
|
Pages: 1 Prev: dziwne pakiety Next: some problem in UDP programming under linux |