[NBLUG/talk] denying specific hosts via bastille-based firewall?

Kyle Rankin greenfly at greenfly.net
Mon Apr 21 13:12:01 PDT 2003


On Mon, Apr 21, 2003 at 01:01:35PM -0700, augie wrote:
...
> 
> Kyle Rankin wrote:
> > On Mon, Apr 21, 2003 at 11:29:57AM -0700, Daniel Smith wrote:
> >>What's a good way to drop certain IP addresses at
> >>the firewall level, as opposed to bouncing them
> >>from Apache?
> > If your machine supports iptables, then the command would be:
> > iptables -A INPUT -s 12.34.56.78 -j REJECT
> 
> note though that REJECT is different than DROP. from the iptables man page:
> 
> "REJECT
> This is used to send back an error packet in response to the matched
> packet: otherwise it is equivalent to DROP ..."
> 
> i use DROP as the default in my firewall rules because it limits the
> likelihood of someone just stumbling across me. your needs are probably
> different though.
[snip]

Right, however, I think that dropping packets break some protocols, that
prefer (require?) that you send an error message back if the service isn't
available.  I know sometimes with nmap, for instance, it can sense that the
firewall is filtering the packets out, instead of not having the port open.

Off the top of my head, I can't remember whether DROP or REJECT shows up as
"(filtered)" when running nmap against the port.  That is a consideration
though, and for your needs DROP might work better.

-- 
Kyle Rankin (greenfly)
http://greenfly.org



More information about the talk mailing list