Re: nft newbie

[Gareth Evans <donotspam@fastmail.fm>]

On 12 Jul 2022, at 11:31, mick crane <mick.crane@gmail.com> wrote:

On 2022-07-12 10:33, Gareth Evans wrote:

On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies

In most cases it's a best practice to configure all chains with

_policy drop_ and then add rules for the traffic that you want to

allow

All the nftables and PF howtos I have found take this approach.

Why is it best practice?  Is there any security advantage over rejection?

I think it is just that 'reject' tells the remote system there is something listening.
mick

Oh yes (!), thanks.  A few other points (from a quick web search) here

https://www.coresentinel.com/reject-versus-drop/

including potential for REJECT to facilitate DDoS on asymmetric links - so it surprises me again (perhaps this time sensibly?) as the firewalld default.

Incidentally (I mainly have Gene in mind) it might be worth pointing out that nftables has individual and mass conversion commands for iptables rules/rulesets - perhaps useful if you're in a rush or just to see equivalence

https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

Best wishes

Gareth