David A. Ranch wrote:
> >I found in writing firewall rules, its easier to do a "blanket" deny
> >policy, (so you get all your bases), then only do "accept" for those
> >services you want to allow.
>
> Why not a blanket REJECT?
Personal preference, DENY drops the packet, REJECT sends back an ICMP
message. I deny by policy and reject by specific rule sets (including
catchall reject and log rules). (in my opinion) policy drops should only
occur during rule setup when the interface is going up. I don't actually
want to tell the other end to stop sending yet. After the rule set is
configured then a REJECT rule will tell the other side to quit trying and
log the offender so I can take action at a later time.
For example: I have a tcp 80 request start up the link. The rule set for
firewalling is created in the ip-up script (I don't have the ip address
before then). It's possible to get a reply from the http server before the
accept rule has taken effect. A reject would tell the http server to not
bother trying again, a deny would (hopefully) allow the server to try again
with another packet.
Is that any clearer?
Lourdes
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
