RE: is iptables enough?
> -----Original Message-----
> From: Josh Carroll [mailto:jkc120@sbcglobal.net]
> Sent: Friday 21 March 2003 08:46
> To: debian-security@lists.debian.org
> Subject: Re: is iptables enough?
>
>
> There are a couple of reasons why I use -j DROP
> instead of -J REJECT. Firstly, sending responses to
> packets your dropping can be bad, given a relatively
> small upstream link. In theory, one could DoS you
> sufficiently with an upstream equal or slightly better
> than yours. That is not to say that the would-be
> attacker couldn't just find a network that could
> surpass your downstream as well, just pointing out
> this drawback of -j REJECT.
>
> Secondly, while DROP'ing the packet doesn't make you
> invisible, it does have some degree of value when
> deterring people. If an attacker gets no response from
> machine 1, but a tcp reject from matchine 2, I'm
> willing to bet they'd persue machine 2 first. Let's
> face it, if they want to find out if you're there or
> running something on a port, they probably can with a
> bit more effort anyway, but it might just make them
> pass you by for an easier target.
>
> In general, I don't use -REJECT unless I'm worried
> about being polite. And in most circumstances,
> politeness isn't my goal ;)
>
> Josh
I tend to agree and usually set my policies to DROP.
One notable exeption is TCP dest port 113, which I prefer to REJECT,
cause I don't like to wait for Auth timeouts when I login to IRC.
Drawback of this : REJECTING some packets helps nmap detect your OS
(nmap needs one open port and one REJECT for best results).
Back to the policy, I guess setting it to REJECT or DROP is quite related
to the use of your machine ; also you "probably" want to REJECT unauthorized
packets that come from your intranet.
Reply to: