> On 12 Jul 2022, at 11:31, mick crane <mick.cr...@gmail.com> wrote: > On 2022-07-12 10:33, Gareth Evans wrote: >> On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies > >>> In most cases it's a best practice to configure all chains with >>> _policy drop_ and then add rules for the traffic that you want to >>> allow >> All the nftables and PF howtos I have found take this approach. >> Why is it best practice? Is there any security advantage over rejection? > I think it is just that 'reject' tells the remote system there is something > listening. > mick > Oh yes (!), thanks. A few other points (from a quick web search) here
https://www.coresentinel.com/reject-versus-drop/ including potential for REJECT to facilitate DDoS on asymmetric links - so it surprises me again (perhaps this time sensibly?) as the firewalld default. Incidentally (I mainly have Gene in mind) it might be worth pointing out that nftables has individual and mass conversion commands for iptables rules/rulesets - perhaps useful if you're in a rush or just to see equivalence https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables Best wishes Gareth
