Matthew Lenz wrote:
Just had a situation where a backend job was hanging because it couldn't
get to an ip. the tcp connect just kinda hung and this particular
software module had a really long timeout set. Is there a reason why
for example there is a global block in pfsense as opposed to a global
reject (which seems to fail attempts immediately)? sorry I'm a fw
noob :)
block essentially leaves the firewall "invisible" on the Internet, so
that's the default. With block and no open ports and no permitted
traffic, your firewall's WAN IP looks no different from an unused IP on
the Internet, sometimes referred to as "stealth". Granted it's far from
fool proof, but that's the default stance any firewall should take, IMO.
Reject sends an ICMP unreachable back to the requesting host, which would
let an attacker know that there is actually a host there. Also OS
fingerprinting can be done on how a machine rejects certain packets, so
that's another good reason to block vs. reject. It's all obscurity, but
obscurity when combined with other layers of protection is a good thing
(never rely on it for anything, but it's never bad to have).
-cmb
so its safe to assume that internet -> WAN stuff should be blocked. but for
internal access between my LAN/OPT interfaces and outbound WAN i can use
reject and it wouldn't be considered bad form?
-Matt
