On Sat, 20 Sep 2003 09:32 am, Mark Ferlatte wrote: > Tarragon Allen said on Sat, Sep 20, 2003 at 09:15:41AM +1000: > > The only disctinction between the two that I make is that a REJECT is > > polite, and a DROP is rude. Also, a REJECT says to the other end "yes, > > there is a host there" whereas a DROP say "I got nothing, looks like > > there's nothing there". > > More correctly, a REJECT requires your firewall to take action based on the > request of an untrusted third party, while a DROP does not. > > If I send your firewalls a bunch of spoofed traffic, and you RST/ICMP the > target, I've just used you to DoS them, if you get my meaning. Of course, > you can use the limit module to help prevent this, but I think that's a bit > too complex for a security device, and just drop stuff I don't want. > > > If you want your firewall/server to be as invisible as possible, DROP is > > the only way. > > It's not going to be invisible (unless it's acting as a bridge, in which > case it's okay for it to be invisible). Router's need to respond to > certain ICMP types to function properly, so you shouldn't block them. > > M
True - I tend to lean heavily on the stateful aspects of netfilter and DROP packets I don't know about (aren't related to any established connections). This takes into account ICMP traffic. Also, unless I'm feeling really paranoid, I will allow icmp echo-requests (ping). It depends on the role of the server/firewall. t -- GPG : http://n12turbo.com/tarragon/public.key
