Re: nft newbie
"Gareth Evans" <donotspam@fastmail.fm> writes:
> On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies <maxiestudies@gmail.com> wrote:
>
>> drop and reject are not equivalent.
>
> Fair enough
>
> [...]
>> In most cases it's a best practice to configure all chains with
>> _policy drop_ and then add rules for the traffic that you want to
>> allow
>
> All the nftables and PF howtos I have found take this approach.
>
> Why is it best practice? Is there any security advantage over rejection?
Not really, to me using DROP is a simplistic view not based in reality.
https://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject
covers the pros and cons reasonably with this conclusion:
"DROP offers no effective barrier to hostile forces but can dramatically
slow down applications run by legitimate users. DROP should not normally
be used."
Reply to: