Re: ipchains rules: REJECT vs. DENY

To: Debian User List <debian-user@lists.debian.org>
Subject: Re: ipchains rules: REJECT vs. DENY
From: "Karsten M. Self" <kmself@ix.netcom.com>
Date: Tue, 31 Jul 2001 12:14:20 -0700
Message-id: <[🔎] 20010731121420.E471@navel.introspect>
In-reply-to: <[🔎] 20010725143251.N27481@morgul.net>; from noahm@debian.org on Wed, Jul 25, 2001 at 02:32:51PM -0400
References: <[🔎] Pine.LNX.3.96.1010725094416.21764B-100000@doma.mattyt.net> <[🔎] 20010725133819.A5554@logn.net> <[🔎] 20010725143251.N27481@morgul.net>

on Wed, Jul 25, 2001 at 02:32:51PM -0400, Noah Meyerhans (noahm@debian.org) wrote:
> On Wed, Jul 25, 2001 at 01:38:19PM -0400, Jason Healy wrote:
> > > Are there any drawbacks to DENY?  Is there a general consensus on this
> > > subject?
> > 
> > In general, DENY is good because it does just what your friend says.
> > This also makes things like portscans more difficult, as they take
> > longer to complete (the scanner must timeout on all the ports, rather
> > than just getting back an instant 'closed' message).
> 
> There's definitely no consensus on this; it's largely a matter of
> personal taste.  I generally believe that DENY is almost always the
> wrong thing to do.  Sending back the port-unreachable ICMP packet (via
> the REJECT rule) is the polite thing to do, which I think makes for
> better netizenship.  I don't see how making portscans take longer
> equates to making them more difficult to perform, as you (Jason)
> claim.

The benefits are twofold:

  - For a two-stage scan, DENY gives the appearance of an unpopulated
    IP, you're never hit by the second stage of the scan.

  - For automated netblock sweeps, DENY causes the remote (scanning)
    host to time out on each port.  In a netblock that's composed
    largely of hosts with deny policies, a scan will take significantly
    longer.  This means the black hat has to devote more resources
    (time, hardware, both) to the scan.

My own firewall drops all blocked ports, with the one discretionary
exception of 113 (authentication service).  This is used by some mail
transports.  Actually, I deny this too, though I've got the 'REJECT'
line commented in my IP filtering ruleset.  A full nmap scan (1024
ports) on the box takes several minutes.

This reject/deny policy comes from the book _Building Linux and OpenBSD
Firewalls_, recommended.

-- 
Karsten M. Self <kmself@ix.netcom.com>      http://kmself.home.netcom.com/
 What part of "Gestalt" don't you understand?         There is no K5 cabal
  http://gestalt-system.sourceforge.net/           http://www.kuro5hin.org
Free Dmitry!! Boycott Adobe!! Repeal the DMCA!!  http://www.freedmitry.org

Attachment: pgpQdwn7U68vt.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: ipchains rules: REJECT vs. DENY
  - From: Robert Waldner <waldner@waldner.priv.at>

References:
- ipchains rules: REJECT vs. DENY
  - From: Matthew Thompson <mattyt@oz.net>
- Re: ipchains rules: REJECT vs. DENY
  - From: Jason Healy <jhealy@logn.net>
- Re: ipchains rules: REJECT vs. DENY
  - From: Noah Meyerhans <noahm@debian.org>

Prev by Date: Re: ghostview problem
Next by Date: Re: nVidia users help needed
Previous by thread: Re: ipchains rules: REJECT vs. DENY
Next by thread: Re: ipchains rules: REJECT vs. DENY
Index(es):
- Date
- Thread