Re: ipchains rules: REJECT vs. DENY

[Jason Healy <jhealy@logn.net>]

At 996072286s since epoch (07/25/01 12:44:46 -0400 UTC), Matthew Thompson wrote:
> I was talking with a friend of mine who said it's better to have a policy
> of DENY since that doesn't return any information and if someone is trying
> to attack the machine on a closed port, it will take much longer to figure
> it out.
> 
> Are there any drawbacks to DENY?  Is there a general consensus on this
> subject?

In general, DENY is good because it does just what your friend says.
This also makes things like portscans more difficult, as they take
longer to complete (the scanner must timeout on all the ports, rather
than just getting back an instant 'closed' message).

There are some downsides, however, that you may want to consider.

The first is that someone may notice that some ports on your box are
open, but others simply time out.  The most logical explanation for
this is a firewall.  This could make your machine more interesting to
attack (a 'challenge', if you will), since you seem to be trying to
protect something.  OTOH, most script kiddies will just move on and
scan somebody else.

The other problem is that if you DENY certain oft-used services, you
can cause problems.  For example, if you DENY on the ident service
port, machines trying to connect to you will timeout waiting for ident
info.  Some mail servers try to connect back to the ident port on a
client before accepting mail.  If your machine DENYs ident requests,
it will have to wait for that timeout to occur before sending mail.

Moral of that story is to make sure that you either run an ident
server, or set it to REJECT.

Most other stuff is safe to DENY (daytime, echo, telnet, ftp, www,
finger, > 1024).  The only real question is how you want to appear to
the outside world, and that choice is up to you.

Jason

--
Jason Healy    |     jhealy@logn.net
LogN Systems   |   http://www.logn.net/