> -----Original Message----- > From: Josh Carroll [mailto:[EMAIL PROTECTED] > Sent: Friday 21 March 2003 08:46 > To: [email protected] > Subject: Re: is iptables enough? > > > There are a couple of reasons why I use -j DROP > instead of -J REJECT. Firstly, sending responses to > packets your dropping can be bad, given a relatively > small upstream link. In theory, one could DoS you > sufficiently with an upstream equal or slightly better > than yours. That is not to say that the would-be > attacker couldn't just find a network that could > surpass your downstream as well, just pointing out > this drawback of -j REJECT. > > Secondly, while DROP'ing the packet doesn't make you > invisible, it does have some degree of value when > deterring people. If an attacker gets no response from > machine 1, but a tcp reject from matchine 2, I'm > willing to bet they'd persue machine 2 first. Let's > face it, if they want to find out if you're there or > running something on a port, they probably can with a > bit more effort anyway, but it might just make them > pass you by for an easier target. > > In general, I don't use -REJECT unless I'm worried > about being polite. And in most circumstances, > politeness isn't my goal ;) > > Josh
I tend to agree and usually set my policies to DROP. One notable exeption is TCP dest port 113, which I prefer to REJECT, cause I don't like to wait for Auth timeouts when I login to IRC. Drawback of this : REJECTING some packets helps nmap detect your OS (nmap needs one open port and one REJECT for best results). Back to the policy, I guess setting it to REJECT or DROP is quite related to the use of your machine ; also you "probably" want to REJECT unauthorized packets that come from your intranet.
