iptables question

Corey Edwards tensai at zmonkey.org
Wed Nov 5 20:29:33 MST 2008


On Wed, 2008-11-05 at 08:38 -0700, Stuart Jansen wrote:
> You could argue that REJECT leaves doubt about whether a firewall
> exists. If there's even a single port open, DROP confirms that a
> firewall exists. The attacker just has to figure out how to get around
> it. An advantage of DROP is that it uses less CPU and bandwidth.

DROP also reduces possible smurf attacks. Consider if host A sends a TCP
SYN packet to host B, but forges the source address of C. B is going to
respond to C that the port is closed. If you add up enough As,
eventually you could really flood C with a bunch of bogus traffic
without C knowing where the actual source of the attack is. This type of
attack is also fun to do with ICMP echo-request to a broadcast address,
and recently it's been picked up with stateless UDP protocols as well
(DNS, for one).

In general I prefer to DROP on the Internet side and REJECT on the LAN
side.

Corey

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://plug.org/pipermail/plug/attachments/20081105/4864f496/attachment.bin 


More information about the PLUG mailing list