Mike Burger wrote - > On Thu, 19 Sep 2002, Brenden Walker wrote: > > > > But, if you REJECT a packet, it sends back a "port > > > unreachable" return packet (this by the laws of the RFC). If > > > you DROP a packet, it dies on the floor with no return. So > > > you will always know when you have been REJECTed, but you > > > will not always know if you have been DROPped... unless the > > > scanner assumes that if it does not get an immediate > > > response, then the packet has been dropped and a firewall must > be up. > > > > Seems to me that the preferred behaviour is to drop and thus > neither confirm > > nor deny that you even exist. Of course for UDP packets that > doesn't seem to > > matter much. > > That's how my firewall is configured.
Then there is an additional argument in favor of DROP: during a DDoS situation, if your firewall is set to REJECT, then it must take the time to respond to every packet hitting the interface, adding to the load on your box. Whereas a DROP policy on the firewall will not respond to any packets and maintain a lower load. jb -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
