1 |
> From the |
2 |
> technical aspect not to answer to a request is not the right behaviour |
3 |
> of a device conform to RFCs. |
4 |
|
5 |
So far I followed this very interesting and insightful thread as an |
6 |
observer, but here I must disagree. It's not about right or wrong, |
7 |
everybody has to make its own descicion about whats right or wrong for |
8 |
him. I respect both arguments: RFC-compliance is important, but some |
9 |
admins are concerned about what packets are spewed out from their boxes |
10 |
unwillingly. |
11 |
|
12 |
What about a compromise like this: In general allow RFC-compliant |
13 |
traffic, but thightly control REJECTs and some ICMP traffic with --limit |
14 |
and DROP the rest, this should help alot against DoS (if this is at all |
15 |
possible with REJECTs). |
16 |
|
17 |
|
18 |
Best regards, Roman |
19 |
|
20 |
|
21 |
|
22 |
-- |
23 |
gentoo-security@g.o mailing list |