Re: [LARTC] REJECTing: How and When to use What type of reply.
On Sat, 20 Sep 2003 08:24 am, Mike Mestnik wrote:
> For this thread I'd like to FOCUS on rejecting bad traffic and not on
> dropping. The first case
> I'd like to discuss is where all but a handful of public web sites are
> allowed for ought going
> connections. A typical NAT setup is used where all the users sit behind
> a firewall, some have
> full access to the Internet but most have restricted access. I'd also
> like to bring in other
> minds into the discussion, and not have it be a linux only problem.
> Here is the big deal. A web page like www.nasdaq.com is considered
> valid, so traffic to it's IP
> 220.127.116.11 is ACCEPTed. However this site pulles content from an
> unknown group of other
> sites, unfortunately not ACCEPTed. In the mean time untill all the
> sites can be added it's not
> proper to simply DROP these SYN packets. This is where this concerns
> EVERYONE, the client
> software needs to get the right REJECT from the firewall. Now How and
> When to use What type of
> reply becomes a big deal.
> I'd like to open this discussion up to every one who has 2 cents and/or
> another good use of REJECT
> vs DROP. For my setup I have winblows computers running both IE and
> Netscape behind a generic
> firewall *Blush*. The two types of REJECTs I have tested are "TCP RST"
> and ICMP (Port
> Unreachable), are there any others?
> This thread may be moved to another list where appropriate, but was
> started on firstname.lastname@example.org.
The only disctinction between the two that I make is that a REJECT is polite,
and a DROP is rude. Also, a REJECT says to the other end "yes, there is a
host there" whereas a DROP say "I got nothing, looks like there's nothing
For home connections I tend to just DROP everything that I don't want - this
makes it slower for people to scan, as they aren't getting a valid response
from every non-open port on my system.
For business, it's probably more correct to REJECT packets, however there are
a lot of people out there (spammers, script kiddies) who don't play by the
rules, so that's where I tend to think a DROP rule is fine - if they aren't
going to play friendly, I'm not either.
If you want your firewall/server to be as invisible as possible, DROP is the
GPG : http://n12turbo.com/tarragon/public.key