Re: Firewall - DROP or DENY
On Mon Apr 15, 2002, Jan Arne Fagertun wrote:
> > From: Nick Busigin [mailto:nick@xwing.org]
> >
> > Is there really
> > any significant benefit to using DROP vs DENY, other than costing
> > potential attackers more time?
>
> If you DENY you tell potential attackers "Yes, I'm here, but I (try to)
> deny you access", and he/she may try harder. If you DROP the attacker
> don't even know you are there, and there is no reason to try harder...
But if the attacker already knows that the server is up (via an ICMP
ping, or a 'TCP ping' to a port which needs to be open, e.g. 80), then
dropping packets from a port will flag that port as 'filtered' when a
scanner such as nmap is used. Is it not better to deny (reject)
connections to ports which you want to block (making sure a proper TCP
reset is sent in response to TCP packets), which will make it appear
as no service is running on that port at all? The attacker will know
the server is up, but will not see any interesting services, so will
leave.
It is necessary to be able to send TCP resets though, and not just an
ICMP error message - this is possible with iptables, using
'--reject-with', as in the following command:
# iptables -A INPUT -p tcp --dport 22 -j REJECT --reject-with tcp-reset
Of course if you want to hide the presence of your server completely,
including not sending responses to ICMP echo requests and having no
ports which are universally open, then you would use DROP. But if the
server is at all visible to an attacker, then I think you're better
off using REJECT (DENY).
Joel.
--
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: