Discussion:
Which ICMP reject works best
(too old to reply)
none
2007-02-20 01:29:31 UTC
Permalink
Given the various iptables icmp reject types, which is suppose to make
the calling host shut up and go away the fastest ?

It looks like it may be just doing a DROP and not wasting replying may be
the answer because most seem to ignore the reject messages and syn away...

Any experts with insight to this ?

Valid reject types:
icmp-net-unreachable ICMP network unreachable
net-unreach alias
icmp-host-unreachable ICMP host unreachable
host-unreach alias
icmp-proto-unreachable ICMP protocol unreachable
proto-unreach alias
icmp-port-unreachable ICMP port unreachable (default)
port-unreach alias
icmp-net-prohibited ICMP network prohibited
net-prohib alias
icmp-host-prohibited ICMP host prohibited
host-prohib alias
tcp-reset TCP RST packet
tcp-rst alias
icmp-admin-prohibited ICMP administratively prohibited (*)
admin-prohib alias
Andrzej Adam Filip
2007-02-20 06:32:39 UTC
Permalink
Post by none
Given the various iptables icmp reject types, which is suppose to make
the calling host shut up and go away the fastest ?
It looks like it may be just doing a DROP and not wasting replying may be
the answer because most seem to ignore the reject messages and syn away...
Any experts with insight to this ?
icmp-net-unreachable ICMP network unreachable
net-unreach alias
icmp-host-unreachable ICMP host unreachable
host-unreach alias
icmp-proto-unreachable ICMP protocol unreachable
proto-unreach alias
icmp-port-unreachable ICMP port unreachable (default)
port-unreach alias
icmp-net-prohibited ICMP network prohibited
net-prohib alias
icmp-host-prohibited ICMP host prohibited
host-prohib alias
tcp-reset TCP RST packet
tcp-rst alias
icmp-admin-prohibited ICMP administratively prohibited (*)
admin-prohib alias
Have you considered using tcp-reset?
--
[pl>en: Andrew] Andrzej Adam Filip : ***@priv.onet.pl : ***@xl.wp.pl
Home site: http://anfi.homeunix.net/
Pascal Hambourg
2007-02-20 15:40:54 UTC
Permalink
Hello,
Post by none
Given the various iptables icmp reject types, which is suppose to make
the calling host shut up and go away the fastest ?
icmp-net-unreachable ICMP network unreachable
icmp-host-unreachable ICMP host unreachable
icmp-proto-unreachable ICMP protocol unreachable
icmp-port-unreachable ICMP port unreachable (default)
icmp-net-prohibited ICMP network prohibited
icmp-host-prohibited ICMP host prohibited
tcp-reset TCP RST packet
icmp-admin-prohibited ICMP administratively prohibited (*)
- TCP RST for TCP packets.
- ICMP Port Unreachable for UDP packets and other supported
port-oriented protocols
- ICMP Protocol Unreachable for unsupported or non protocol-oriented
protocols
- ICMP Communication Administratively Prohibited is nice but I have
found that not all hosts understand it, which may reduce its efficiency.

Note : ICMP Network Prohibited and ICMP Host Prohibited are deprecated,
ICMP Communication Administratively Prohibited must be used instead.

(Source : RFC 1812)
none
2007-02-21 02:05:19 UTC
Permalink
Post by Pascal Hambourg
Hello,
Post by none
Given the various iptables icmp reject types, which is suppose to make
the calling host shut up and go away the fastest ?
icmp-net-unreachable ICMP network unreachable
icmp-host-unreachable ICMP host unreachable
icmp-proto-unreachable ICMP protocol unreachable
icmp-port-unreachable ICMP port unreachable (default)
icmp-net-prohibited ICMP network prohibited
icmp-host-prohibited ICMP host prohibited
tcp-reset TCP RST packet
icmp-admin-prohibited ICMP administratively prohibited (*)
- TCP RST for TCP packets.
- ICMP Port Unreachable for UDP packets and other supported
port-oriented protocols
- ICMP Protocol Unreachable for unsupported or non protocol-oriented
protocols
- ICMP Communication Administratively Prohibited is nice but I have
found that not all hosts understand it, which may reduce its efficiency.
Note : ICMP Network Prohibited and ICMP Host Prohibited are deprecated,
ICMP Communication Administratively Prohibited must be used instead.
(Source : RFC 1812)
My simple testing today suggests using any kind of reject is a waste of
bandwidth for TCP, they will send at least 3 SYNs whether or not you
respond with a rejection so DROP becomes more bandwidth efficient.

thx

Continue reading on narkive:
Loading...