Aaron Toponce wrote: > On Mon, Nov 03, 2008 at 04:22:19PM -0700, Corey Edwards wrote: >> I believe Nick is right. I would just add that on the LAN side of >> things, I would REJECT rather than DROP. That'll save your host the >> hassle of waiting for a timeout. > > I too would use REJECT over DROP. If you pay close attention to standard > TCP implementation, REJECT behaves more like TCP than DROP does. While > DROP may seem more secure on the outset, the fact remains that REJECT is > the preferrence for security.
Could you explain that in more depth for me? I see how REJECT is nicer on the TCP side of things, but I don't see how that makes it preferable for security. The conventional wisdom I've always heard is that DROP reveals less about your firewall, acts in a small way as a tarpit for e.g. portscanners, etc. I think I prefer REJECT personally, so I look forward to your arguments. -- Hans Fugal ; http://hans.fugal.net There's nothing remarkable about it. All one has to do is hit the right keys at the right time and the instrument plays itself. -- Johann Sebastian Bach /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
