> But, you're right. The decision between DROP and REJECT is a very > tough one. Some two or three weeks ago we were pleading for DROP > for some valid reasons and now it seems that we have good reasons > for REJECT. But, still, I'd prefer the DROP. It's less expensive > and besides who cares that they know > "there is most likely a packetfilter in play". in my opinion, the only 100% sure place to put DROP is on a router, that is only a router and does not have any ports open.
In other situation i am considering to REJECT with tcp-reset to TCP and reject with icmp dest-unreach port-unreach to UDP. BTW, i posted a patch to netfilter-devel on saturday that allows us to: iptables -A INPUT -m ipunusedbit -j LOG --log-prefix "Unused: " The IP unused bit can be set with the tool sing for example. That is one of many ways described by Ofir Arkin to do very discrete OS fingerprinting. Anybody interested in this?
