On Saturday 18 May 2002 6:11 am, John T. Guthrie wrote: > Hello all, > > Please pardon me if this is answered elsewhere. I have tried looking > through all of the documentation, but I am still left wondering what are > the advantages/disadvantages of the DROP, REJECT, and MIRROR targets? I > know what they do, but I'm not quite certain as to what are some of the > situations when I would want to use each. (I know that this may fall more > under the heading of "site policy". I'm more interested in examples of why > people chose what they did.) I am especially interested in examples of the > MIRROR target.
Basically: You DROP packets when you don't want the sender to get anything back (ie as far as they're concerned, there wasn't a machine waiting to receive them on that IP address). It's by far best if you can make sure you DROP *all* packets which are not being routed by your firewall (and of course you don't run any services *on* the firewall, do you :-) so that the machine is invisible on the net - if you DROP some, and ACCEPT or REJECT some, then a program such as nmap will know there's something there which is actively DROPping things. You REJECT packets when you want to sender to get a connection reset, which will make their client respond much more quickly with "connection lost" or some such. ie you don't want them to be waiting around for a long time whilst the TCP connection times out. My recommendation for choosing between these two is to DROP packets from the outside (people you don't know and don't have any incentive to be nice to), and REJECT packets coming from the inside (people on your local network who you presumably want to get a quick and efficient response that the connection cannot be made). I've never used MIRROR, and although it can sound quite cool, you should be careful about using it, as it is pretty aggressive. Basically anything which comes in will be sent back to the source IP address, so someone port scanning you will actually end up port scanning themselves. The main problem is when they port scan you with spoofed source addresses mixed in, and you end up scanning someone else's system, who may (a) not like it, or (b) block access from your network address/es. Like you, I'd be interested to hear of anyone using MIRROR for good reasons. Antony.
