Which ICMP reject works best

This is a discussion on Which ICMP reject works best within the Linux Networking forums, part of the Linux Forums category; Given the various iptables icmp reject types, which is suppose to make the calling host shut up and go away ...


Go Back   Usenet Forums > Linux Forums > Linux Networking

Reload this Page Which ICMP reject works best

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 02-20-2007
none
 
Posts: n/a
Default Which ICMP reject works best
Given the various iptables icmp reject types, which is suppose to make
the calling host shut up and go away the fastest ?

It looks like it may be just doing a DROP and not wasting replying may be
the answer because most seem to ignore the reject messages and syn away...

Any experts with insight to this ?

Valid reject types:
icmp-net-unreachable ICMP network unreachable
net-unreach alias
icmp-host-unreachable ICMP host unreachable
host-unreach alias
icmp-proto-unreachable ICMP protocol unreachable
proto-unreach alias
icmp-port-unreachable ICMP port unreachable (default)
port-unreach alias
icmp-net-prohibited ICMP network prohibited
net-prohib alias
icmp-host-prohibited ICMP host prohibited
host-prohib alias
tcp-reset TCP RST packet
tcp-rst alias
icmp-admin-prohibited ICMP administratively prohibited (*)
admin-prohib alias
Reply With Quote
  #2 (permalink)  
Old 02-20-2007
Andrzej Adam Filip
 
Posts: n/a
Default Re: Which ICMP reject works best
none <none@none1.invalid> writes:

> Given the various iptables icmp reject types, which is suppose to make
> the calling host shut up and go away the fastest ?
>
> It looks like it may be just doing a DROP and not wasting replying may be
> the answer because most seem to ignore the reject messages and syn away...
>
> Any experts with insight to this ?
>
> Valid reject types:
> icmp-net-unreachable ICMP network unreachable
> net-unreach alias
> icmp-host-unreachable ICMP host unreachable
> host-unreach alias
> icmp-proto-unreachable ICMP protocol unreachable
> proto-unreach alias
> icmp-port-unreachable ICMP port unreachable (default)
> port-unreach alias
> icmp-net-prohibited ICMP network prohibited
> net-prohib alias
> icmp-host-prohibited ICMP host prohibited
> host-prohib alias
> tcp-reset TCP RST packet
> tcp-rst alias
> icmp-admin-prohibited ICMP administratively prohibited (*)
> admin-prohib alias

Have you considered using tcp-reset?

--
[pl>en: Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
Home site: http://anfi.homeunix.net/
Reply With Quote
  #3 (permalink)  
Old 02-20-2007
Pascal Hambourg
 
Posts: n/a
Default Re: Which ICMP reject works best
Hello,

none a écrit :
> Given the various iptables icmp reject types, which is suppose to make
> the calling host shut up and go away the fastest ?
>
> Valid reject types:
> icmp-net-unreachable ICMP network unreachable
> icmp-host-unreachable ICMP host unreachable
> icmp-proto-unreachable ICMP protocol unreachable
> icmp-port-unreachable ICMP port unreachable (default)
> icmp-net-prohibited ICMP network prohibited
> icmp-host-prohibited ICMP host prohibited
> tcp-reset TCP RST packet
> icmp-admin-prohibited ICMP administratively prohibited (*)

- TCP RST for TCP packets.
- ICMP Port Unreachable for UDP packets and other supported
port-oriented protocols
- ICMP Protocol Unreachable for unsupported or non protocol-oriented
protocols
- ICMP Communication Administratively Prohibited is nice but I have
found that not all hosts understand it, which may reduce its efficiency.

Note : ICMP Network Prohibited and ICMP Host Prohibited are deprecated,
ICMP Communication Administratively Prohibited must be used instead.

(Source : RFC 1812)
Reply With Quote
  #4 (permalink)  
Old 02-21-2007
none
 
Posts: n/a
Default Re: Which ICMP reject works best
On Tue, 20 Feb 2007 07:40:54 -0800, Pascal Hambourg wrote:

> Hello,
>
> none a écrit :
>> Given the various iptables icmp reject types, which is suppose to make
>> the calling host shut up and go away the fastest ?
>>
>> Valid reject types:
>> icmp-net-unreachable ICMP network unreachable
>> icmp-host-unreachable ICMP host unreachable
>> icmp-proto-unreachable ICMP protocol unreachable
>> icmp-port-unreachable ICMP port unreachable (default)
>> icmp-net-prohibited ICMP network prohibited
>> icmp-host-prohibited ICMP host prohibited
>> tcp-reset TCP RST packet
>> icmp-admin-prohibited ICMP administratively prohibited (*)
>
> - TCP RST for TCP packets.
> - ICMP Port Unreachable for UDP packets and other supported
> port-oriented protocols
> - ICMP Protocol Unreachable for unsupported or non protocol-oriented
> protocols
> - ICMP Communication Administratively Prohibited is nice but I have
> found that not all hosts understand it, which may reduce its efficiency.
>
> Note : ICMP Network Prohibited and ICMP Host Prohibited are deprecated,
> ICMP Communication Administratively Prohibited must be used instead.
>
> (Source : RFC 1812)

My simple testing today suggests using any kind of reject is a waste of
bandwidth for TCP, they will send at least 3 SYNs whether or not you
respond with a rejection so DROP becomes more bandwidth efficient.

thx
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On




All times are GMT +1. The time now is 10:29 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0