Re: nft newbie

To: debian-user Mailing List <debian-user@lists.debian.org>
Subject: Re: nft newbie
From: fxkl47BF@protonmail.com
Date: Tue, 12 Jul 2022 11:57:05 +0000
Message-id: <[🔎] nycvar.QRO.7.76.2207120652220.7156@tehzcl5.tehzcl-arg>
Reply-to: fxkl47BF@protonmail.com
In-reply-to: <[🔎] 10854bda-f43c-4bf5-87cf-2a7f52fc1361@www.fastmail.com>
References: <[🔎] d47bc2b6-cc49-6d08-d422-3495f3a59028@shentel.net> <[🔎] 2ad1777d-17c7-f114-a976-a2bec857c29c@shentel.net> <[🔎] 3d2d2857-875c-4636-b102-a94f4c1a4121@www.fastmail.com> <[🔎] 83c9d108-51c8-4e17-a565-61ad041b9651@www.fastmail.com> <[🔎] alpine.DEB.2.20.2207091100050.16633@maria.rogerprice.org> <[🔎] bec39705-8557-4b35-9ee2-08da5d22fef1@www.fastmail.com> <[🔎] a43601d6-03af-4298-ac3e-2664fbf2051a@www.fastmail.com> <[🔎] CAF358wRErEpOFNU5V6qim3RT8RNCG-aSgXOm287Yp9Qjb+4Leg@mail.gmail.com> <[🔎] 10854bda-f43c-4bf5-87cf-2a7f52fc1361@www.fastmail.com>

On Tue, 12 Jul 2022, Gareth Evans wrote:

> On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies <maxiestudies@gmail.com> wrote:
>
>> drop and reject are not equivalent.
>
> Fair enough
>
> [...]
>> In most cases it's a best practice to configure all chains with
>> _policy drop_ and then add rules for the traffic that you want to
>> allow
>
> All the nftables and PF howtos I have found take this approach.
>
> Why is it best practice?  Is there any security advantage over rejection?

Scammers send out emails to every possible address
If someone happens to respond, "Bugger off", they know they have a good address
If your systems sends a reject notice you're telling someone they have a good address
I was taught to drop everything and only open what is necessary

Reply to:

References:
- nft newbie
  - From: gene heskett <gheskett@shentel.net>
- Re: nft newbie
  - From: gene heskett <gheskett@shentel.net>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>
- Re: nft newbie
  - From: Roger Price <debian@rogerprice.org>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>
- Re: nft newbie
  - From: Maximiliano Estudies <maxiestudies@gmail.com>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>

Prev by Date: Re: Converting an old Chromebook to pure Debian, was: OT, Recommendation for low cost laptop
Next by Date: Re: avahi-daemon allow/deny interfaces question
Previous by thread: Re: nft newbie
Next by thread: Re: nft newbie
Index(es):
- Date
- Thread