Tarragon Allen said on Sat, Sep 20, 2003 at 09:15:41AM +1000: > The only disctinction between the two that I make is that a REJECT is polite, > and a DROP is rude. Also, a REJECT says to the other end "yes, there is a > host there" whereas a DROP say "I got nothing, looks like there's nothing > there". More correctly, a REJECT requires your firewall to take action based on the request of an untrusted third party, while a DROP does not. If I send your firewalls a bunch of spoofed traffic, and you RST/ICMP the target, I've just used you to DoS them, if you get my meaning. Of course, you can use the limit module to help prevent this, but I think that's a bit too complex for a security device, and just drop stuff I don't want. > If you want your firewall/server to be as invisible as possible, DROP is the > only way. It's not going to be invisible (unless it's acting as a bridge, in which case it's okay for it to be invisible). Router's need to respond to certain ICMP types to function properly, so you shouldn't block them. M
Attachment:
pgps1zRFZX5hi.pgp
Description: PGP signature