Re: Firewall - DROP or DENY

To: debian-firewall <debian-firewall@lists.debian.org>
Subject: Re: Firewall - DROP or DENY
From: Nick Busigin <nick@xwing.org>
Date: Mon, 15 Apr 2002 12:27:49 -0400 (EDT)
Message-id: <[🔎] Pine.LNX.3.96.1020415122158.26724B-100000@xwing.xwing.org>
Reply-to: Nick Busigin <nick@xwing.org>
In-reply-to: <[🔎] 20020415152538.GD566@xeno.fitz.cam.ac.uk>

Thanks to all who replied.  I this answer by Joel is the definitive
answer.

                               Nick

On Mon, 15 Apr 2002, Joel Cartwright wrote:

> On Mon Apr 15, 2002, Jan Arne Fagertun wrote:
> > > From: Nick Busigin [mailto:nick@xwing.org]
> > > 
> > > Is there really
> > > any significant benefit to using DROP vs DENY, other than costing
> > > potential attackers more time?
> > 
> > If you DENY you tell potential attackers "Yes, I'm here, but I (try to)
> > deny you access", and he/she may try harder. If you DROP the attacker
> > don't even know you are there, and there is no reason to try harder...
> 
> But if the attacker already knows that the server is up (via an ICMP
> ping, or a 'TCP ping' to a port which needs to be open, e.g. 80), then
> dropping packets from a port will flag that port as 'filtered' when a
> scanner such as nmap is used. Is it not better to deny (reject)
> connections to ports which you want to block (making sure a proper TCP
> reset is sent in response to TCP packets), which will make it appear
> as no service is running on that port at all? The attacker will know
> the server is up, but will not see any interesting services, so will
> leave.
> 
> It is necessary to be able to send TCP resets though, and not just an
> ICMP error message - this is possible with iptables, using
> '--reject-with', as in the following command:
> 
> # iptables -A INPUT -p tcp --dport 22 -j REJECT --reject-with tcp-reset
> 
> Of course if you want to hide the presence of your server completely,
> including not sending responses to ICMP echo requests and having no
> ports which are universally open, then you would use DROP. But if the
> server is at all visible to an attacker, then I think you're better
> off using REJECT (DENY).
> 
> Joel.

--------------------------------------------------------------------------
Nick Busigin  ...Sent from my Debian/GNU Linux Machine...   nick@xwing.org

To obtain my pgp public key, email me with the subject: "get pgp-key"
--------------------------------------------------------------------------



-- 
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- Re: Firewall - DROP or DENY
  - From: Joel Cartwright <joel@fireful.co.uk>

Prev by Date: Re: Firewall - DROP or DENY
Next by Date: NAT for multiple ports
Previous by thread: Re: Firewall - DROP or DENY
Next by thread: Re: Firewall - DROP or DENY
Index(es):
- Date
- Thread