Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.os.linux.security > #473
| From | Andrew <andrew@invalid.invalid> |
|---|---|
| Newsgroups | comp.os.linux.security |
| Subject | Why does nmap appear to be slower vs. reject rules than drop rules? |
| Date | 2014-04-05 16:22 +0000 |
| Organization | A noiseless patient Spider |
| Message-ID | <lhpake$b54$1@dont-email.me> (permalink) |
I'm setting up a scratch server to experiment with iptables. I tend to prefer rejecting packets over dropping them (mostly because that seems to be what the RFCs specify), so my last rule is a -j REJECT. The rules look like this: # Generated by iptables-save v1.4.14 on Sat Apr 5 16:09:28 2014 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [668:57464] -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m multiport --dports 22,80,443 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-port-unreachable COMMIT # Completed on Sat Apr 5 16:09:28 2014 I pared most of them out to lose the noise. Point nmap at the server with these rules, and it takes ~15 minutes to finish. Comment out the rejection, and it takes less than five seconds. That seems counterintuitive to me, and makes observing differences when I change things irritating. What is the cause of this? -- Andrew
Back to comp.os.linux.security | Previous | Next — Next in thread | Find similar
Why does nmap appear to be slower vs. reject rules than drop rules? Andrew <andrew@invalid.invalid> - 2014-04-05 16:22 +0000
Re: Why does nmap appear to be slower vs. reject rules than drop rules? Andrew <andrew@invalid.invalid> - 2014-04-05 16:31 +0000
Re: Why does nmap appear to be slower vs. reject rules than drop rules? Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2014-04-05 23:47 +0000
Re: Why does nmap appear to be slower vs. reject rules than drop rules? Richard Kettlewell <rjk@greenend.org.uk> - 2014-04-06 10:20 +0100
csiph-web