On Wed, 2008-11-05 at 08:38 -0700, Stuart Jansen wrote: > You could argue that REJECT leaves doubt about whether a firewall > exists. If there's even a single port open, DROP confirms that a > firewall exists. The attacker just has to figure out how to get around > it. An advantage of DROP is that it uses less CPU and bandwidth.
DROP also reduces possible smurf attacks. Consider if host A sends a TCP SYN packet to host B, but forges the source address of C. B is going to respond to C that the port is closed. If you add up enough As, eventually you could really flood C with a bunch of bogus traffic without C knowing where the actual source of the attack is. This type of attack is also fun to do with ICMP echo-request to a broadcast address, and recently it's been picked up with stateless UDP protocols as well (DNS, for one). In general I prefer to DROP on the Internet side and REJECT on the LAN side. Corey
signature.asc
Description: This is a digitally signed message part
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
