> What is the advantage of using DROP? Is it supposed to leave the
> requester wondering whether or not there is a service running at that
> location?
More or less...
Imagine the big bad wolf knocking on your door. REJECT says "nyah nyah nyah,
the door is locked" ...but maybe the wolf will huff and puff and blow your
house down anyway. DROP says absolutely nothing, leaving the wolf scratching
his head over whether the dead silence means nobody's home or means somebody's
hiding under the bed.
DROP implements what in some other contexts is called "stealth". A few years
ago some of those home NAT boxes were released without a "stealth" capability,
and the feedback was so resoundingly negative they quickly got a firmware
revision. DROP is very useful for "flying under the radar", which is often a
good way to avoid being hacked.
The downside of DROP, since everybody's treated the same, is that YOU won't be
able to get any response either. It can make troubleshooting quite difficult.
Assuming troubleshooting the Internet is _somebody_else's_ problem so it's okay
to use DROP liberally on your outside interface (where the hackers are) is
often reasonable.
thanks! -Chuck Kollars
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
