Normally, you want your FW to be as invisible as possible (black hole) so you just drop all incoming packet that are not specifically allowed in by a rule. What you can't see can only be attack by guessing. Rejecting give back information to the bad guy...
In the case of a smtp mail server, it's better to reject incoming IDENT request otherwise, you will have timeout problem with the smtp delivery of your mail going out to some servers.. -----Message d'origine----- De: irado furioso com tudo [mailto:[EMAIL PROTECTED]] Date: 8 janvier, 2002 04:31 Cc: [EMAIL PROTECTED] Objet: Re: NAT, Internet access and security I had heard that it is better to have a 'reject' rule instead of a 'deny' one, as reject will give back an immediate reply to the interrogator, while just rejecting the query can give you a multitude of 'retry', which can eat you bandwidth with lots and lots of retries. If possible, can somebody point me where can I get correct information on this (white papers, hints, tips, anything..) Nick wrote: > I was under the impression that the "stealth rule" was to have anything > going directly to your Firewall dropped, therefore making your FW's > addess a "black hole". It never answers anything, except what you > specifically allow for management purposes. -- saudações, irado furioso com tudo. Linux User (SuSE) 179.402 explicando o padre marcelo ('o mala', the pope's boy, the pope's star): mer$&^ velha com roupa nova.
