On Wed, 2008-11-05 at 07:25 -0700, Hans Fugal wrote: > Could you explain that in more depth for me? I see how REJECT is nicer > on the TCP side of things, but I don't see how that makes it preferable > for security. The conventional wisdom I've always heard is that DROP > reveals less about your firewall, acts in a small way as a tarpit for > e.g. portscanners, etc. I think I prefer REJECT personally, so I look > forward to your arguments.
If you leave even a single port open, and attacker can discover you. It can act as a tarpit, but it doesn't reveal less about you. You could argue that REJECT leaves doubt about whether a firewall exists. If there's even a single port open, DROP confirms that a firewall exists. The attacker just has to figure out how to get around it. An advantage of DROP is that it uses less CPU and bandwidth. I wouldn't go as far as saying that REJECT is more secure or that "REJECT acts more like TCP". Both act like TCP. REJECT acts like the port is closed. DROP acts like the IP doesn't exist. Each has its advantages, but I don't think they're large enough to declare one more secure. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
