[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf rules

To: misc@openbsd.org
Subject: Re: pf rules
From: Richard Welty <rwelty@averillpark.net>
Date: Thu, 7 Mar 2002 07:31:22 -0500 (EST)
Content-Disposition: INLINE
References: <20020307121006.554A.SHIVA.BRAHMA@inwind.it>

On Thu, 07 Mar 2002 12:10:18 +0100 Matteo Cavalleri <shiva.brahma@inwind.it> wrote:
> If i put the rule "block in $ext_if all" at the top of my ruleset,
> "block return-rst  in on $ext_if proto tcp all" is not necessary,
> isn't it?

> AFAIK the first rules do the same thing of the second one, it just don't
> send a reply to the host sending the tcp packets, so what's the
> advantage of having the second rules after the first one? (as suggested
> in pf.con manual page)

the advantage is that there are cases where it is really a good idea to
send the reply. for example, if the host on the other end was doing an
auth query on port 113, if you simply drop the packet the remotehost is
going to hang for a while waiting for a time out, as opposed to
immediately knowing that no answer is coming.

funky timeout problems don't always come from DNS (per the recent
discussion on this list). sometimes they come from identd/auth; i've seen
MTAs hang on initial connection for identd problems as frequently as i've
seen them hang on initial connection for DNS problems.

so there's one reason for you.

richard
--
Richard Welty                                         rwelty@averillpark.net
Averill Park Networking                                         518-573-7592
              Unix, Linux, IP Network Engineering, Security

Follow-Ups:
- Re: pf rules
  - From: Matteo Cavalleri <shiva.brahma@inwind.it>

References:
- pf rules
  - From: Matteo Cavalleri <shiva.brahma@inwind.it>

Prev by Date: Re: PGPnet 7.1 (30 days trail) and VPN (OBSD-3.0)
Next by Date: Anyone goes to CeBIT in Germany?
Prev by thread: pf rules
Next by thread: Re: pf rules
Index(es):
- Date
- Thread