Re: [LARTC] REJECTing: How and When to use What type of reply.

To: debian-firewall@lists.debian.org
Subject: Re: [LARTC] REJECTing: How and When to use What type of reply.
From: Tarragon Allen <lists@n12turbo.com>
Date: Sat, 20 Sep 2003 09:15:41 +1000
Message-id: <[🔎] 200309200915.41204.lists@n12turbo.com>
In-reply-to: <[🔎] 3F6B8232.1060109@yahoo.com>
References: <[🔎] 3F6B8232.1060109@yahoo.com>

On Sat, 20 Sep 2003 08:24 am, Mike Mestnik wrote:
> For this thread I'd like to FOCUS on rejecting bad traffic and not on
> dropping.  The first case
> I'd like to discuss is where all but a handful of public web sites are
> allowed for ought going
> connections.  A typical NAT setup is used where all the users sit behind
> a firewall, some have
> full access to the Internet but most have restricted access.  I'd also
> like to bring in other
> minds into the discussion, and not have it be a linux only problem.
>
> Here is the big deal.  A web page like www.nasdaq.com is considered
> valid, so traffic to it's IP
> 208.249.117.71 is ACCEPTed.  However this site pulles content from an
> unknown group of other
> sites, unfortunately not ACCEPTed.  In the mean time untill all the
> sites can be added it's not
> proper to simply DROP these SYN packets.  This is where this concerns
> EVERYONE, the client
> software needs to get the right REJECT from the firewall.  Now How and
> When to use What type of
> reply becomes a big deal.
>
> I'd like to open this discussion up to every one who has 2 cents and/or
> another good use of REJECT
> vs DROP.  For my setup I have winblows computers running both IE and
> Netscape behind a generic
> firewall *Blush*.  The two types of REJECTs I have tested are "TCP RST"
> and ICMP (Port
> Unreachable), are there any others?
>
> This thread may be moved to another list where appropriate, but was
> started on lartc@mailman.ds9a.nl.

Well,

The only disctinction between the two that I make is that a REJECT is polite, 
and a DROP is rude. Also, a REJECT says to the other end "yes, there is a 
host there" whereas a DROP say "I got nothing, looks like there's nothing 
there".

For home connections I tend to just DROP everything that I don't want - this 
makes it slower for people to scan, as they aren't getting a valid response 
from every non-open port on my system.

For business, it's probably more correct to REJECT packets, however there are 
a lot of people out there (spammers, script kiddies) who don't play by the 
rules, so that's where I tend to think a DROP rule is fine - if they aren't 
going to play friendly, I'm not either.

If you want your firewall/server to be as invisible as possible, DROP is the 
only way.

t
-- 
GPG : http://n12turbo.com/tarragon/public.key

Reply to:

Follow-Ups:
- Re: [LARTC] REJECTing: How and When to use What type of reply.
  - From: Mark Ferlatte <ferlatte@cryptio.net>
- Re: [LARTC] REJECTing: How and When to use What type of reply.
  - From: Roland Mas <roland.mas@free.fr>

References:
- [LARTC] REJECTing: How and When to use What type of reply.
  - From: Mike Mestnik <cheako911@yahoo.com>

Prev by Date: [LARTC] REJECTing: How and When to use What type of reply.
Next by Date: Re: [LARTC] REJECTing: How and When to use What type of reply.
Previous by thread: [LARTC] REJECTing: How and When to use What type of reply.
Next by thread: Re: [LARTC] REJECTing: How and When to use What type of reply.
Index(es):
- Date
- Thread