>>>> I've been reading about DROP vs. REJECT and some are saying that DROP >>>> causes problems without any benefit. Do you guys agree? Should DROP >>>> normally not be used at all? >>> DROP is perfectly acceptable as a default policy for traffic from the >>> internet. Shorewall's "default DROP action" (action.Drop) get applied >>> before a packet is actually dropped, ensuring that traffic that it is >>> potentially harmful to DROP is handled properly. >>> >>> DROP isn't particularly friendly for traffic that originates behind your >>> firewall -- for that traffic, REJECT is a better choice. >> >> What is the advantage of using DROP? Is it supposed to leave the >> requester wondering whether or not there is a service running at that >> location? > > Since DROP doesn't return any indication to the dropped connection request: > > a) It reduces the footprint of your network making it less visible from > the internet. This has the effect of slowing down port scanners. > > b) In the event of a DDOS attack using forged source addresses, it > prevents your firewall from contributing to the attack. > > c) In the event of a DOS attack on your network, it prevents a flood of > output responses.
Thanks, that makes a lot of sense. Is there a way to scan for REJECTions so you can tell if you need to be DROPping any that you aren't? - Grant ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
