drybjed
commented
7 years ago Sounds good. By default the firewall sends REJECT when packets are directed to closed ports, however the packets that exceed the specified rate limits could be DROPped. I'm working on the debops.ferm at the moment, so I'll take that into account.
The rules created by ferm__filter_icmp and ferm__filter_syn rate limiting have a REJECT target. This to some degree defeats their point of guarding against excessive traffic. IMO these packets should just be DROPed. If you are under a flood attack you don't want the rules to create even more traffic (even if this traffic goes into the opposite direction).