Which ICMP reject works best

Given the various iptables icmp reject types, which is suppose to make
the calling host shut up and go away the fastest ?

It looks like it may be just doing a DROP and not wasting replying may be
the answer because most seem to ignore the reject messages and syn away...

Any experts with insight to this ?

Valid reject types:
icmp-net-unreachable ICMP network unreachable
net-unreach alias
icmp-host-unreachable ICMP host unreachable
host-unreach alias
icmp-proto-unreachable ICMP protocol unreachable
proto-unreach alias
icmp-port-unreachable ICMP port unreachable (default)
port-unreach alias
icmp-net-prohibited ICMP network prohibited
net-prohib alias
icmp-host-prohibited ICMP host prohibited
host-prohib alias
tcp-reset TCP RST packet
tcp-rst alias
icmp-admin-prohibited ICMP administratively prohibited (*)
admin-prohib alias

none <(E-Mail Removed)> writes:

> Given the various iptables icmp reject types, which is suppose to make
> the calling host shut up and go away the fastest ?
>
> It looks like it may be just doing a DROP and not wasting replying may be
> the answer because most seem to ignore the reject messages and syn away...
>
> Any experts with insight to this ?
>
> Valid reject types:
> icmp-net-unreachable ICMP network unreachable
> net-unreach alias
> icmp-host-unreachable ICMP host unreachable
> host-unreach alias
> icmp-proto-unreachable ICMP protocol unreachable
> proto-unreach alias
> icmp-port-unreachable ICMP port unreachable (default)
> port-unreach alias
> icmp-net-prohibited ICMP network prohibited
> net-prohib alias
> icmp-host-prohibited ICMP host prohibited
> host-prohib alias
> tcp-reset TCP RST packet
> tcp-rst alias
> icmp-admin-prohibited ICMP administratively prohibited (*)
> admin-prohib alias

Have you considered using tcp-reset?

--
[pl>en: Andrew] Andrzej Adam Filip : (E-Mail Removed) : (E-Mail Removed)
Home site: http://anfi.homeunix.net/

Hello,

none a écrit :
> Given the various iptables icmp reject types, which is suppose to make
> the calling host shut up and go away the fastest ?
>
> Valid reject types:
> icmp-net-unreachable ICMP network unreachable
> icmp-host-unreachable ICMP host unreachable
> icmp-proto-unreachable ICMP protocol unreachable
> icmp-port-unreachable ICMP port unreachable (default)
> icmp-net-prohibited ICMP network prohibited
> icmp-host-prohibited ICMP host prohibited
> tcp-reset TCP RST packet
> icmp-admin-prohibited ICMP administratively prohibited (*)

- TCP RST for TCP packets.
- ICMP Port Unreachable for UDP packets and other supported
port-oriented protocols
- ICMP Protocol Unreachable for unsupported or non protocol-oriented
protocols
- ICMP Communication Administratively Prohibited is nice but I have
found that not all hosts understand it, which may reduce its efficiency.

Note : ICMP Network Prohibited and ICMP Host Prohibited are deprecated,
ICMP Communication Administratively Prohibited must be used instead.

(Source : RFC 1812)

On Tue, 20 Feb 2007 07:40:54 -0800, Pascal Hambourg wrote:

> Hello,
>
> none a écrit :
>> Given the various iptables icmp reject types, which is suppose to make
>> the calling host shut up and go away the fastest ?
>>
>> Valid reject types:
>> icmp-net-unreachable ICMP network unreachable
>> icmp-host-unreachable ICMP host unreachable
>> icmp-proto-unreachable ICMP protocol unreachable
>> icmp-port-unreachable ICMP port unreachable (default)
>> icmp-net-prohibited ICMP network prohibited
>> icmp-host-prohibited ICMP host prohibited
>> tcp-reset TCP RST packet
>> icmp-admin-prohibited ICMP administratively prohibited (*)
>
> - TCP RST for TCP packets.
> - ICMP Port Unreachable for UDP packets and other supported
> port-oriented protocols
> - ICMP Protocol Unreachable for unsupported or non protocol-oriented
> protocols
> - ICMP Communication Administratively Prohibited is nice but I have
> found that not all hosts understand it, which may reduce its efficiency.
>
> Note : ICMP Network Prohibited and ICMP Host Prohibited are deprecated,
> ICMP Communication Administratively Prohibited must be used instead.
>
> (Source : RFC 1812)

My simple testing today suggests using any kind of reject is a waste of
bandwidth for TCP, they will send at least 3 SYNs whether or not you
respond with a rejection so DROP becomes more bandwidth efficient.

thx