Re: [LARTC] REJECTing: How and When to use What type of reply.
On Sat, 20 Sep 2003 09:32 am, Mark Ferlatte wrote:
> Tarragon Allen said on Sat, Sep 20, 2003 at 09:15:41AM +1000:
> > The only disctinction between the two that I make is that a REJECT is
> > polite, and a DROP is rude. Also, a REJECT says to the other end "yes,
> > there is a host there" whereas a DROP say "I got nothing, looks like
> > there's nothing there".
>
> More correctly, a REJECT requires your firewall to take action based on the
> request of an untrusted third party, while a DROP does not.
>
> If I send your firewalls a bunch of spoofed traffic, and you RST/ICMP the
> target, I've just used you to DoS them, if you get my meaning. Of course,
> you can use the limit module to help prevent this, but I think that's a bit
> too complex for a security device, and just drop stuff I don't want.
>
> > If you want your firewall/server to be as invisible as possible, DROP is
> > the only way.
>
> It's not going to be invisible (unless it's acting as a bridge, in which
> case it's okay for it to be invisible). Router's need to respond to
> certain ICMP types to function properly, so you shouldn't block them.
>
> M
True - I tend to lean heavily on the stateful aspects of netfilter and DROP
packets I don't know about (aren't related to any established connections).
This takes into account ICMP traffic. Also, unless I'm feeling really
paranoid, I will allow icmp echo-requests (ping). It depends on the role of
the server/firewall.
t
--
GPG : http://n12turbo.com/tarragon/public.key
Reply to: