Grant wrote: >>> I've been reading about DROP vs. REJECT and some are saying that DROP >>> causes problems without any benefit. Do you guys agree? Should DROP >>> normally not be used at all? >> DROP is perfectly acceptable as a default policy for traffic from the >> internet. Shorewall's "default DROP action" (action.Drop) get applied >> before a packet is actually dropped, ensuring that traffic that it is >> potentially harmful to DROP is handled properly. >> >> DROP isn't particularly friendly for traffic that originates behind your >> firewall -- for that traffic, REJECT is a better choice. > > What is the advantage of using DROP? Is it supposed to leave the > requester wondering whether or not there is a service running at that > location?
Since DROP doesn't return any indication to the dropped connection request: a) It reduces the footprint of your network making it less visible from the internet. This has the effect of slowing down port scanners. b) In the event of a DDOS attack using forged source addresses, it prevents your firewall from contributing to the attack. c) In the event of a DOS attack on your network, it prevents a flood of output responses. ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
