On Fri, 5 Jan 2001, Roy G. Culley wrote:
> Thornton Prime <[EMAIL PROTECTED]> wrote:
>
> > I forgot to mention, in general it is better to REJECT than DENY. REJECT
> > responds to the source by telling them that the port is unreachable,
> > wheras deny simply drops the packets entirely.
> >
> > If you are going to block access by protocol and port, then you should use
> > REJECT, and it will appear that the service is simply not running. If you
> > DENY, it will tip your hand that there is a firewall rule.
> >
> > If you want to hide your machine entirely from a foreign host, then it is
> > appropriate to use DENY, but it is only effective if you block all access,
> > not selected protocols or ports.
>
> I have to disagree here. I've been a security / firewall administrator
> for several years and the consensus among admins is to deny. All firewalls
> that I use deny by default. In fact the only time I have ever used
> reject is when I receive an ident/auth request. I reject these to avoid
> delays in sending emails to servers that use ident/auth. Why help possible
> attackers by letting them know immediately that a service is not running?
I've been a security/firewall administrator for years also and the
consensus among the pack I run with is to REJECT. <grin>
I don't mind helping script kiddies by letting them know that a
service is unreachable, because they will move on anyway because they
are just bulk scanning. A determined intruder will recognize a that a
machine not responding to specific ports but responding on other ports or
protocols is protected by a firewall. Their next step will be to map your
firewall, and for that you've made that easier for them.
In general, most network administrators consider it poor form to not
respond with ICMP port unreachable messages.
On the other hand, I do keep a list of script kiddie networks and lame
networks, and I DENY those entirely.
This has been a bit of debate between network administrators and firewall
administrators for a while, though, to DENY or REJECT. It is fair to say
that they will be equally effective in achieving the immediate goal of
keeping people out.
thornton
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
