[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall - DROP or DENY

On Mon, Apr 15, 2002 at 05:50:46PM +0200, Jan-Hendrik Palic wrote:
> Hi .. 
> 
> On Mon, Apr 15, 2002 at 04:05:51PM +0200, Jan Arne Fagertun wrote:
> >> Is there really
> >> any significant benefit to using DROP vs DENY, other than costing
> >> potential attackers more time?
> >If you DENY you tell potential attackers "Yes, I'm here, but I (try to)
> >deny you access", and he/she may try harder. If you DROP the attacker
> >don't even know you are there, and there is no reason to try harder...
> 
> But dropping the packages will erase your traffic.
> If you reject with host unreachable, you will get the same effect with
> the less traffic...

Yes, but you might trick legal clients into thinking that your
server is completely unreachable, thus make it impossible for them
to connect to you at all.

-- 
Ciao, Arne.
                                                                  -o)
GPG 1024D/913C2F81 2000-10-11 Arne P. Boettger <apb@createx.de>   /\\
Fingerprint = 6ED9 9A64 CD8A EB6F D841  0391 2F08 8F86 913C 2F81 _\_V


-- 
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: