Lourdes A Jones
Fri, 12 Feb 1999 16:56:53 -0500
David A. Ranch wrote: > >I found in writing firewall rules, its easier to do a "blanket" deny > >policy, (so you get all your bases), then only do "accept" for those > >services you want to allow. > > Why not a blanket REJECT? Personal preference, DENY drops the packet, REJECT sends back an ICMP message. I deny by policy and reject by specific rule sets (including catchall reject and log rules). (in my opinion) policy drops should only occur during rule setup when the interface is going up. I don't actually want to tell the other end to stop sending yet. After the rule set is configured then a REJECT rule will tell the other side to quit trying and log the offender so I can take action at a later time. For example: I have a tcp 80 request start up the link. The rule set for firewalling is created in the ip-up script (I don't have the ip address before then). It's possible to get a reply from the http server before the accept rule has taken effect. A reject would tell the http server to not bother trying again, a deny would (hopefully) allow the server to try again with another packet. Is that any clearer? Lourdes --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]