I use reject as a courtesy. On internal interfaces I let my colleagues know
they have been dis-allowed. External interfaces simply get no information
one way or another. Henry
> -----Original Message-----
> From: Ryan Russell [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, September 08, 1999 2:51 PM
> To: Bennett Samowich
> Cc: Firewalls
> Subject: Re: deny or reject
>
>
>
>
> >This may be another newbie question, when "dis-allowing" certain packets
> >is it better to deny or reject? Why the different actions?
>
> Sounds like Firewall-1? It should be drop and reject, then.
>
> Reject will send an ICMP unreachable, while drop will do nothing.
>
> Here's an "advanced tip" for you. You want to reject ident, but you can
> drop just about everything else.
>
> It's a philosophical issues as to which is better. Attackers can get the
> same information back, but if you use drop it will take them longer. If
> you use reject, they'll find out which ports are open and closed quicker,
> but perhaps they'll then go away faster.
>
> Ryan
>
>
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
