Re: Firewall - DROP or DENY
On Mon, Apr 15, 2002 at 05:50:46PM +0200, Jan-Hendrik Palic wrote:
> Hi ..
> On Mon, Apr 15, 2002 at 04:05:51PM +0200, Jan Arne Fagertun wrote:
> >> Is there really
> >> any significant benefit to using DROP vs DENY, other than costing
> >> potential attackers more time?
> >If you DENY you tell potential attackers "Yes, I'm here, but I (try to)
> >deny you access", and he/she may try harder. If you DROP the attacker
> >don't even know you are there, and there is no reason to try harder...
> But dropping the packages will erase your traffic.
> If you reject with host unreachable, you will get the same effect with
> the less traffic...
Yes, but you might trick legal clients into thinking that your
server is completely unreachable, thus make it impossible for them
to connect to you at all.
GPG 1024D/913C2F81 2000-10-11 Arne P. Boettger <email@example.com> /\\
Fingerprint = 6ED9 9A64 CD8A EB6F D841 0391 2F08 8F86 913C 2F81 _\_V
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com