iptables question

Stuart Jansen sjansen at buscaluz.org
Wed Nov 5 08:38:32 MST 2008


On Wed, 2008-11-05 at 07:25 -0700, Hans Fugal wrote:
> Could you explain that in more depth for me? I see how REJECT is nicer
> on the TCP side of things, but I don't see how that makes it preferable
> for security. The conventional wisdom I've always heard is that DROP
> reveals less about your firewall, acts in a small way as a tarpit for
> e.g. portscanners, etc. I think I prefer REJECT personally, so I look
> forward to your arguments.

If you leave even a single port open, and attacker can discover you. It
can act as a tarpit, but it doesn't reveal less about you.

You could argue that REJECT leaves doubt about whether a firewall
exists. If there's even a single port open, DROP confirms that a
firewall exists. The attacker just has to figure out how to get around
it. An advantage of DROP is that it uses less CPU and bandwidth.

I wouldn't go as far as saying that REJECT is more secure or that
"REJECT acts more like TCP". Both act like TCP. REJECT acts like the
port is closed. DROP acts like the IP doesn't exist. Each has its
advantages, but I don't think they're large enough to declare one more
secure.




More information about the PLUG mailing list