[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall - DROP or DENY

Thanks to all who replied.  I this answer by Joel is the definitive


On Mon, 15 Apr 2002, Joel Cartwright wrote:

> On Mon Apr 15, 2002, Jan Arne Fagertun wrote:
> > > From: Nick Busigin [mailto:nick@xwing.org]
> > > 
> > > Is there really
> > > any significant benefit to using DROP vs DENY, other than costing
> > > potential attackers more time?
> > 
> > If you DENY you tell potential attackers "Yes, I'm here, but I (try to)
> > deny you access", and he/she may try harder. If you DROP the attacker
> > don't even know you are there, and there is no reason to try harder...
> But if the attacker already knows that the server is up (via an ICMP
> ping, or a 'TCP ping' to a port which needs to be open, e.g. 80), then
> dropping packets from a port will flag that port as 'filtered' when a
> scanner such as nmap is used. Is it not better to deny (reject)
> connections to ports which you want to block (making sure a proper TCP
> reset is sent in response to TCP packets), which will make it appear
> as no service is running on that port at all? The attacker will know
> the server is up, but will not see any interesting services, so will
> leave.
> It is necessary to be able to send TCP resets though, and not just an
> ICMP error message - this is possible with iptables, using
> '--reject-with', as in the following command:
> # iptables -A INPUT -p tcp --dport 22 -j REJECT --reject-with tcp-reset
> Of course if you want to hide the presence of your server completely,
> including not sending responses to ICMP echo requests and having no
> ports which are universally open, then you would use DROP. But if the
> server is at all visible to an attacker, then I think you're better
> off using REJECT (DENY).
> Joel.

Nick Busigin  ...Sent from my Debian/GNU Linux Machine...   nick@xwing.org

To obtain my pgp public key, email me with the subject: "get pgp-key"

To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: