[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [LARTC] REJECTing: How and When to use What type of reply.

On Sat, 20 Sep 2003 09:32 am, Mark Ferlatte wrote:
> Tarragon Allen said on Sat, Sep 20, 2003 at 09:15:41AM +1000:
> > The only disctinction between the two that I make is that a REJECT is
> > polite, and a DROP is rude. Also, a REJECT says to the other end "yes,
> > there is a host there" whereas a DROP say "I got nothing, looks like
> > there's nothing there".
> More correctly, a REJECT requires your firewall to take action based on the
> request of an untrusted third party, while a DROP does not.
> If I send your firewalls a bunch of spoofed traffic, and you RST/ICMP the
> target, I've just used you to DoS them, if you get my meaning.  Of course,
> you can use the limit module to help prevent this, but I think that's a bit
> too complex for a security device, and just drop stuff I don't want.
> > If you want your firewall/server to be as invisible as possible, DROP is
> > the only way.
> It's not going to be invisible (unless it's acting as a bridge, in which
> case it's okay for it to be invisible).  Router's need to respond to
> certain ICMP types to function properly, so you shouldn't block them.
> M

True - I tend to lean heavily on the stateful aspects of netfilter and DROP 
packets I don't know about (aren't related to any established connections). 
This takes into account ICMP traffic. Also, unless I'm feeling really 
paranoid, I will allow icmp echo-requests (ping). It depends on the role of 
the server/firewall.

GPG : http://n12turbo.com/tarragon/public.key

Reply to: