El mar, 12 jul 2022 a las 14:13, Anssi Saari (<a...@sci.fi>) escribió: > > "Gareth Evans" <donots...@fastmail.fm> writes: > > > On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies <maxiestud...@gmail.com> > > wrote: > > > >> drop and reject are not equivalent. > > > > Fair enough > > > > [...] > >> In most cases it's a best practice to configure all chains with > >> _policy drop_ and then add rules for the traffic that you want to > >> allow > > > > All the nftables and PF howtos I have found take this approach. > > > > Why is it best practice? Is there any security advantage over rejection? > > Not really, to me using DROP is a simplistic view not based in reality. > > https://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject > covers the pros and cons reasonably with this conclusion: > > "DROP offers no effective barrier to hostile forces but can dramatically > slow down applications run by legitimate users. DROP should not normally > be used." >
nft only allows for two possible default policies, DROP or ACCEPT, thus it isn't possible to configure a chain with default REJECT. Thus my suggestion to configure default drop (just in case) and a "catch-all" reject at the bottom of the chain.