[ale] iptables: DROP vs. REJECT --reject-with tcp-reset

Geoffrey esoteric at 3times25.net
Tue Apr 2 13:24:18 EST 2002




Amarendra Godbole (Intl Vendor) wrote:
>>Right now my iptables firewall is set up to DROP all undesirable TCP
>>packets. However, I have read that DROP can be a giveaway that you are
>>running a firewall. Is it better to try to look like you don't have a
>>firewall and use REJECT --reject-with tcp-reset? What are 
>>good scenarios to
>>use REJECT --reject-with tcp-reset?
>>
> 
> Keeping the packet filtering tool aside, security by obscurity is no
> longer a valid scenario, and never works for a longer time.

I disagree.  security by obscurity is not a valid solution when used as 
the sole protection mechanism, but it can be a useful tool on an overall 
security design.  No protection mechanism is perfect, but if you hit 
them from various angles, you'll slow them up enough to catch them 
before they do you any damage.

> DROP and
> REJECT choice can be made on how powerful your firewall machine is. In
> DROP the packets are immediately dropped and no reply is sent, while in
> REJECT a reply which says that ``Hey, I am rejecting your packets :)''
> is sent. So if you want to put less burden on your machine, go for a
> DROP, else REJECT is also fine.

Typically, you want to reject a packet that you received because it was 
an honest mistake by the sender.  You want to drop a packet, because it 
was sent by someone attempting something malicious and you don't want to 
provide them any insight into your network protection scenario.  The big 
question is, how do you tell the difference? :)

> 
> The choice for DROP or REJECT with reference to security by obscurity is
> not a good idea. And there is no harm letting them know that yes, we
> have adequate mechanisms to fight you... :)

I disagree.  There's no reason in showing your cards.  If you stop them, 
and they don't know why all the better for you.  If you stop them and 
tell them why, that's just plain stupid.

> 
> Cheers,
> --amar
> 
> --
> Amarendra A. Godbole / Microsoft ``Services For UNIX'' / These opinions
> are _MINE_.
> If you miss love, you miss life.
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> sent to listmaster at ale dot org.
> 
> 
> 


-- 
Until later: Geoffrey		esoteric at 3times25.net

I didn't have to buy my radio from a specific company to listen
to FM, why doesn't that apply to the Internet (anymore...)?


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list