[ale] iptables: DROP vs. REJECT --reject-with tcp-reset
Chris Ricker
kaboom at gatech.edu
Tue Apr 2 12:08:54 EST 2002
On 2 Apr 2002, James P. Kinney III wrote:
> If someone is banging on a port I have closed off for security reasons,
> I don't want to give them any information or waste any bandwidth telling
> them to go away. Just like when the door-to-door salesman knocks, I
> don't want to be bothered to answer it and tell them to go away.
>
> Besides, DROP is shorter to type and uses less of my systems to
> implement. :)
Depending upon the client, sending resets is actually more efficient.
If the client receives an ICMP port unreachable, she will give up and move
on to the next UDP port. Ditto for reset and TCP ports.
If the client receives no response, he's likely to just keep flooding more
packets at the port (particularly for UDP).
Sure, REJECT results in you sending a response you wouldn't otherwise send
(nominally using more bandwidth), but it also cuts off further incoming
traffic (saving bandwidth, and reducing filter load).
later,
chris
---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.
More information about the Ale
mailing list