[ale] iptables: DROP vs. REJECT --reject-with tcp-reset

Amarendra Godbole (Intl Vendor) v-amarg at microsoft.com
Tue Apr 2 11:22:13 EST 2002


> Right now my iptables firewall is set up to DROP all undesirable TCP
> packets. However, I have read that DROP can be a giveaway that you are
> running a firewall. Is it better to try to look like you don't have a
> firewall and use REJECT --reject-with tcp-reset? What are 
> good scenarios to
> use REJECT --reject-with tcp-reset?

Keeping the packet filtering tool aside, security by obscurity is no
longer a valid scenario, and never works for a longer time. DROP and
REJECT choice can be made on how powerful your firewall machine is. In
DROP the packets are immediately dropped and no reply is sent, while in
REJECT a reply which says that ``Hey, I am rejecting your packets :)''
is sent. So if you want to put less burden on your machine, go for a
DROP, else REJECT is also fine.

The choice for DROP or REJECT with reference to security by obscurity is
not a good idea. And there is no harm letting them know that yes, we
have adequate mechanisms to fight you... :)

Cheers,
--amar

--
Amarendra A. Godbole / Microsoft ``Services For UNIX'' / These opinions
are _MINE_.
If you miss love, you miss life.

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.






More information about the Ale mailing list