On Sat, 20 Sep 2003 08:24 am, Mike Mestnik wrote: > For this thread I'd like to FOCUS on rejecting bad traffic and not on > dropping. The first case > I'd like to discuss is where all but a handful of public web sites are > allowed for ought going > connections. A typical NAT setup is used where all the users sit behind > a firewall, some have > full access to the Internet but most have restricted access. I'd also > like to bring in other > minds into the discussion, and not have it be a linux only problem. > > Here is the big deal. A web page like www.nasdaq.com is considered > valid, so traffic to it's IP > 208.249.117.71 is ACCEPTed. However this site pulles content from an > unknown group of other > sites, unfortunately not ACCEPTed. In the mean time untill all the > sites can be added it's not > proper to simply DROP these SYN packets. This is where this concerns > EVERYONE, the client > software needs to get the right REJECT from the firewall. Now How and > When to use What type of > reply becomes a big deal. > > I'd like to open this discussion up to every one who has 2 cents and/or > another good use of REJECT > vs DROP. For my setup I have winblows computers running both IE and > Netscape behind a generic > firewall *Blush*. The two types of REJECTs I have tested are "TCP RST" > and ICMP (Port > Unreachable), are there any others? > > This thread may be moved to another list where appropriate, but was > started on [EMAIL PROTECTED]
Well, The only disctinction between the two that I make is that a REJECT is polite, and a DROP is rude. Also, a REJECT says to the other end "yes, there is a host there" whereas a DROP say "I got nothing, looks like there's nothing there". For home connections I tend to just DROP everything that I don't want - this makes it slower for people to scan, as they aren't getting a valid response from every non-open port on my system. For business, it's probably more correct to REJECT packets, however there are a lot of people out there (spammers, script kiddies) who don't play by the rules, so that's where I tend to think a DROP rule is fine - if they aren't going to play friendly, I'm not either. If you want your firewall/server to be as invisible as possible, DROP is the only way. t -- GPG : http://n12turbo.com/tarragon/public.key
