> so its safe to assume that internet -> WAN stuff should be > blocked. but for internal access between my LAN/OPT > interfaces and outbound WAN i can use reject and it wouldn't > be considered bad form?
Not at all. It's something I insist on when managing production firewalls of whatever hue. Too much time is spent chasing packets down black holes , when being a good network citizen w.r.t the RFCs would have saved hours of blood, sweat toil and tears. Personally I junked the 'stealth' thing years ago. Portscans happen in parallel, so the notion that you're slowing a script kiddie down is laughable. By all means attempt to figure out what I'm running OS wise on my gateway :-). Nmap -O got that wrong also LOL. Something I have noticed, is that playing ball on the internet interface has reduced the amount of scanning traffic significantly. Greg
