Thornton Prime stated the following:
>
> On Fri, 5 Jan 2001, Roy G. Culley wrote:
>
> > Thornton Prime <[EMAIL PROTECTED]> wrote:
> >
> > > I forgot to mention, in general it is better to REJECT than DENY. REJECT
> > > responds to the source by telling them that the port is unreachable,
> > > wheras deny simply drops the packets entirely.
> > >
> > > If you are going to block access by protocol and port, then you should use
> > > REJECT, and it will appear that the service is simply not running. If you
> > > DENY, it will tip your hand that there is a firewall rule.
> > >
> > > If you want to hide your machine entirely from a foreign host, then it is
> > > appropriate to use DENY, but it is only effective if you block all access,
> > > not selected protocols or ports.
> >
> > I have to disagree here. I've been a security / firewall administrator
> > for several years and the consensus among admins is to deny. All firewalls
> > that I use deny by default. In fact the only time I have ever used
> > reject is when I receive an ident/auth request. I reject these to avoid
> > delays in sending emails to servers that use ident/auth. Why help possible
> > attackers by letting them know immediately that a service is not running?
>
> I've been a security/firewall administrator for years also and the
> consensus among the pack I run with is to REJECT. <grin>
>
> I don't mind helping script kiddies by letting them know that a
> service is unreachable, because they will move on anyway because they
> are just bulk scanning. A determined intruder will recognize a that a
> machine not responding to specific ports but responding on other ports or
> protocols is protected by a firewall. Their next step will be to map your
> firewall, and for that you've made that easier for them.
>
> In general, most network administrators consider it poor form to not
> respond with ICMP port unreachable messages.
>
> On the other hand, I do keep a list of script kiddie networks and lame
> networks, and I DENY those entirely.
>
> This has been a bit of debate between network administrators and firewall
> administrators for a while, though, to DENY or REJECT. It is fair to say
> that they will be equally effective in achieving the immediate goal of
> keeping people out.
It's time to resurrect this discussion!
Long time ago, when I was not up-to-date on security, I had a cracker
enter a worm into my system without even entering the front door. I
was fortunate to spot the trouble early, but a worm of that magnitude
was not worth having around.
Why the story? Ipchains has reject and from all appearances it allows
the worm, as it so happened long ago, into the system. Deny doesn't
seem to entertain any thought of accepting anything. In fact, it
seems to baffle bad or good systems into not knowing what to do. I
think that's far better, then allowing any hints.
Care to comment?
Note: When you reply to this message, please include the mailing
list/newsgroup address in Cc: and my email address in To:.
*********************************************************************
Signed,
SoloCDM
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
