Re: nft newbie

To: debian-user@lists.debian.org
Subject: Re: nft newbie
From: Henning Follmann <hfollmann@itcfollmann.com>
Date: Tue, 12 Jul 2022 11:27:41 -0400
Message-id: <[🔎] Ys2S7UAB3j68hJnJ@Oppenheimer>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 98ddf136dfe873a6f8851678469ef21d@gmail.com>
References: <[🔎] CAFMGiz-YLj4=RoAg62j98J9Wdzc0eRVbVEj5OECY4w1iKHoZBQ@mail.gmail.com> <[🔎] 2ad1777d-17c7-f114-a976-a2bec857c29c@shentel.net> <[🔎] 3d2d2857-875c-4636-b102-a94f4c1a4121@www.fastmail.com> <[🔎] 83c9d108-51c8-4e17-a565-61ad041b9651@www.fastmail.com> <[🔎] alpine.DEB.2.20.2207091100050.16633@maria.rogerprice.org> <[🔎] bec39705-8557-4b35-9ee2-08da5d22fef1@www.fastmail.com> <[🔎] a43601d6-03af-4298-ac3e-2664fbf2051a@www.fastmail.com> <[🔎] CAF358wRErEpOFNU5V6qim3RT8RNCG-aSgXOm287Yp9Qjb+4Leg@mail.gmail.com> <[🔎] 10854bda-f43c-4bf5-87cf-2a7f52fc1361@www.fastmail.com> <[🔎] 98ddf136dfe873a6f8851678469ef21d@gmail.com>

On Tue, Jul 12, 2022 at 11:31:11AM +0100, mick crane wrote:
> On 2022-07-12 10:33, Gareth Evans wrote:
> > On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies
> 
> > > In most cases it's a best practice to configure all chains with
> > > _policy drop_ and then add rules for the traffic that you want to
> > > allow
> > 
> > All the nftables and PF howtos I have found take this approach.
> > 
> > Why is it best practice?  Is there any security advantage over
> > rejection?
> > 
> I think it is just that 'reject' tells the remote system there is something
> listening.
> mick
> 

Oh quite contraire!
It literally tells you that there is nothing. And that is the problem.
This way your system can be part of an attack onto someone else.
Because your system creates a message which then is sent to the
address in the src address. And that can be a forged address.
This way you reflect messages to someone else.

In a nice world, where everybody plays by the rules reject would be the
proper thing. Here in reality drop is the better choice.

-H
-- 
Henning Follmann           | hfollmann@itcfollmann.com

Reply to:

Follow-Ups:
- Re: nft newbie
  - From: <tomas@tuxteam.de>
- Re: nft newbie
  - From: Erwan David <erwan@rail.eu.org>

References:
- Re: nft newbie
  - From: Tom Browder <tom.browder@gmail.com>
- Re: nft newbie
  - From: gene heskett <gheskett@shentel.net>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>
- Re: nft newbie
  - From: Roger Price <debian@rogerprice.org>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>
- Re: nft newbie
  - From: Maximiliano Estudies <maxiestudies@gmail.com>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>
- Re: nft newbie
  - From: mick crane <mick.crane@gmail.com>

Prev by Date: Re: nft newbie
Next by Date: Re: multiple network interfaces...and a ghost
Previous by thread: Re: nft newbie
Next by thread: Re: nft newbie
Index(es):
- Date
- Thread