On Tue, Jul 12, 2022 at 11:31:11AM +0100, mick crane wrote:
On 2022-07-12 10:33, Gareth Evans wrote:
On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies
In most cases it's a best practice to configure all chains with
_policy drop_ and then add rules for the traffic that you want to
allow
All the nftables and PF howtos I have found take this approach.
Why is it best practice? Is there any security advantage over
rejection?
I think it is just that 'reject' tells the remote system there is something
listening.
mick
Oh quite contraire!
It literally tells you that there is nothing. And that is the problem.
This way your system can be part of an attack onto someone else.
Because your system creates a message which then is sent to the
address in the src address. And that can be a forged address.
This way you reflect messages to someone else.
In a nice world, where everybody plays by the rules reject would be the
proper thing. Here in reality drop is the better choice.