iptables question

Hans Fugal hans at fugal.net
Wed Nov 5 07:25:41 MST 2008


Aaron Toponce wrote:
> On Mon, Nov 03, 2008 at 04:22:19PM -0700, Corey Edwards wrote:
>> I believe Nick is right. I would just add that on the LAN side of
>> things, I would REJECT rather than DROP. That'll save your host the
>> hassle of waiting for a timeout.
> 
> I too would use REJECT over DROP. If you pay close attention to standard
> TCP implementation, REJECT behaves more like TCP than DROP does. While
> DROP may seem more secure on the outset, the fact remains that REJECT is
> the preferrence for security.

Could you explain that in more depth for me? I see how REJECT is nicer
on the TCP side of things, but I don't see how that makes it preferable
for security. The conventional wisdom I've always heard is that DROP
reveals less about your firewall, acts in a small way as a tarpit for
e.g. portscanners, etc. I think I prefer REJECT personally, so I look
forward to your arguments.


-- 
Hans Fugal ; http://hans.fugal.net

There's nothing remarkable about it. All one has to do is hit the
right keys at the right time and the instrument plays itself.
    -- Johann Sebastian Bach



More information about the PLUG mailing list