On Tue, Jul 12, 2022 at 11:27:41AM -0400, Henning Follmann wrote: > On Tue, Jul 12, 2022 at 11:31:11AM +0100, mick crane wrote: > > On 2022-07-12 10:33, Gareth Evans wrote: > > > On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies > > > > > > In most cases it's a best practice to configure all chains with > > > > _policy drop_ and then add rules for the traffic that you want to > > > > allow > > > > > > All the nftables and PF howtos I have found take this approach. > > > > > > Why is it best practice? Is there any security advantage over > > > rejection? > > > > > I think it is just that 'reject' tells the remote system there is something > > listening. > > mick > > > > > Oh quite contraire! > It literally tells you that there is nothing. And that is the problem. > This way your system can be part of an attack onto someone else. > Because your system creates a message which then is sent to the > address in the src address. And that can be a forged address. > This way you reflect messages to someone else. I was thinking of amplification too. But now you owe us at least a hint on how you can use a RST to do amplification. So far the factor is 1, which doesn't win you much, does it? > In a nice world, where everybody plays by the rules reject would be the > proper thing. Here in reality drop is the better choice. C'mon, show us the code ;-) Cheers -- t
Attachment:
signature.asc
Description: PGP signature