iptables +block country

NoOp glgxg at sbcglobal.net
Mon Aug 16 17:44:58 UTC 2010


On 08/16/2010 12:22 AM, Tom H wrote:
> 2010/8/16 Markus Schönhaber <ubuntu-users at list-post.mks-mail.de>:
>> 16.08.2010 08:13, Harry Strongburg:
>>
>>> I also agree with this statement. If you are having genuine problems
>>> with scan-bots, REJECTing them is bad. You should DROP instead.
>>>
>>> Why?
>>> 1) It makes known to them that you "exist", if they didn't already know.
>>
>> You can't hide your "existence" by not answering to connection requests.
>> If you truly didn't "exist" the last hop *before* your not existing
>> machine would send a host unreachable ICMP message. The lack of this
>> message shows that something's there.
> 
> +1
> 
> I look at it in the same way that I look at spam. I don't reply to
> spam so why should I reply to bot probes?
> 

I've modified the table to DROP - thanks.






More information about the ubuntu-users mailing list