[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [LARTC] REJECTing: How and When to use What type of reply.

On Sat, 20 Sep 2003 08:24 am, Mike Mestnik wrote:
> For this thread I'd like to FOCUS on rejecting bad traffic and not on
> dropping.  The first case
> I'd like to discuss is where all but a handful of public web sites are
> allowed for ought going
> connections.  A typical NAT setup is used where all the users sit behind
> a firewall, some have
> full access to the Internet but most have restricted access.  I'd also
> like to bring in other
> minds into the discussion, and not have it be a linux only problem.
> Here is the big deal.  A web page like www.nasdaq.com is considered
> valid, so traffic to it's IP
> is ACCEPTed.  However this site pulles content from an
> unknown group of other
> sites, unfortunately not ACCEPTed.  In the mean time untill all the
> sites can be added it's not
> proper to simply DROP these SYN packets.  This is where this concerns
> EVERYONE, the client
> software needs to get the right REJECT from the firewall.  Now How and
> When to use What type of
> reply becomes a big deal.
> I'd like to open this discussion up to every one who has 2 cents and/or
> another good use of REJECT
> vs DROP.  For my setup I have winblows computers running both IE and
> Netscape behind a generic
> firewall *Blush*.  The two types of REJECTs I have tested are "TCP RST"
> and ICMP (Port
> Unreachable), are there any others?
> This thread may be moved to another list where appropriate, but was
> started on lartc@mailman.ds9a.nl.


The only disctinction between the two that I make is that a REJECT is polite, 
and a DROP is rude. Also, a REJECT says to the other end "yes, there is a 
host there" whereas a DROP say "I got nothing, looks like there's nothing 

For home connections I tend to just DROP everything that I don't want - this 
makes it slower for people to scan, as they aren't getting a valid response 
from every non-open port on my system.

For business, it's probably more correct to REJECT packets, however there are 
a lot of people out there (spammers, script kiddies) who don't play by the 
rules, so that's where I tend to think a DROP rule is fine - if they aren't 
going to play friendly, I'm not either.

If you want your firewall/server to be as invisible as possible, DROP is the 
only way.

GPG : http://n12turbo.com/tarragon/public.key

Reply to: