[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [LARTC] REJECTing: How and When to use What type of reply.

Tarragon Allen said on Sat, Sep 20, 2003 at 09:15:41AM +1000:
> The only disctinction between the two that I make is that a REJECT is polite, 
> and a DROP is rude. Also, a REJECT says to the other end "yes, there is a 
> host there" whereas a DROP say "I got nothing, looks like there's nothing 
> there".
More correctly, a REJECT requires your firewall to take action based on the
request of an untrusted third party, while a DROP does not.

If I send your firewalls a bunch of spoofed traffic, and you RST/ICMP the
target, I've just used you to DoS them, if you get my meaning.  Of course, you
can use the limit module to help prevent this, but I think that's a bit too
complex for a security device, and just drop stuff I don't want.

> If you want your firewall/server to be as invisible as possible, DROP is the 
> only way.
It's not going to be invisible (unless it's acting as a bridge, in which case
it's okay for it to be invisible).  Router's need to respond to certain ICMP
types to function properly, so you shouldn't block them.


Attachment: pgps1zRFZX5hi.pgp
Description: PGP signature

Reply to: