Changes

Page history
Use drop in stead of reject for DOS cases authored by lelutin's avatar lelutin 
drop is the target that avoids ICMP responses. I believe this was just
an omission when copy/pasting the command above.
Show whitespace changes
Inline Side-by-side
howto/nftables.md
View page @ d54e4efd
...@@ -63,7 +63,7 @@ table, you could do this to block a host from accessing the server: ...@@ -63,7 +63,7 @@ table, you could do this to block a host from accessing the server:
That will generate an ICMP response. If this is a DOS condition, you That will generate an ICMP response. If this is a DOS condition, you
might rather avoid that and simply drop the packet with: might rather avoid that and simply drop the packet with:
nft insert rule inet filter INPUT 'ip saddr 192.0.2.0/24 reject' nft insert rule inet filter INPUT 'ip saddr 192.0.2.0/24 drop'
# Deleting a rule # Deleting a rule
... ...
......