Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? Learn more. Asked 11 years, 4 months ago. Active 3 years, 1 month ago. Viewed k times. Improve this question. T Zengerink 5 5 silver badges 13 13 bronze badges. Mike B Mike B Add a comment. Active Oldest Votes. Improve this answer. BillThor BillThor This is not true. As such, the best firewalling setup is one where only selected ports are forwarded. Your DROP rule will advertise your firewall and port-scanners will know that you are firewalling something and keep hammering you in the hopes of catching your firewall down.
My point is, it is detectable from outside whether you are firewalling something or not because of the mere fact that your TCP stack behaves different when you DROP than to when you don't have a service running in the first place! Doesn't alter the fact that there are botnets capitalizing on the difference and monitoring your ports as a consequence.
Dagelf where are you getting the information that DROP sends a response? That's big news and runs counter to everything I've observed and been told.
Do you have a link to the documentation that describes this behaviour? Dagelf, you're partially correct, but made quite a mess of things. Now a REJECT rule will default to "reject-with icmp-port-unreachable" replying with an icmp packet , and is thereby different from a closed port response and a DROPped timeout response both.
Since a REJECT rule sends a response back to the source host in a single round-trip-time, this means that your client devices will receive an instant response from the firewall without having to wait for a lengthy timeout to occur.
In contrast, a DROP rule would not notify the source host, and may result in unpredictable behaviour which may give the impression that the client or source host has crashed or hung. This post describes what is probably best suitable in most basic firewall setups where the internet is on one side and the internal LAN is on the other. In summary; use REJECT to disallow trusted hosts by gracefully informing them that the traffic is not allowed to pass, and use DROP in an attempt to cause delays and disruption to a no so persistent attacker by sending their packets into a black hole without any response for them to analyse.
Ransomware: Mitigating The Threat. Please leave this field empty. Reject versus Drop — Which to use? We are not responsibility or liability for its dependability, trustworthiness, reliability and data of the text. We reserves the sole right to alter, delete or remove without notice the content in its absolute discretion for any reason whatsoever. Skip to content. Suggestion: 4: I see lots of conflicting answers here and given this is the first article in Google with the right keywords; here is the correct explanation.
Or just running services on your internet-facing machines that do not require firewalling. Share this: Twitter Facebook. Like this: Like Loading Improve this question. Gilles 'SO- stop being evil' k gold badges silver badges bronze badges. Mikhail Morfikov Mikhail Morfikov 9, 16 16 gold badges 59 59 silver badges 93 93 bronze badges. Add a comment. Active Oldest Votes. What do the three rules do?
Improve this answer. Kiwy - Read the link and try it yourself. This is because legitimate users suffer from a slow connection while waiting for the conection to time out and crackers merely configure their tools to not wait for a time out.
I do not go with that conclusion. Reject generates an ICMP-answer that can by analysed. Based on this analysis good attack engines can derive the OS that is being used.
So on a system where all ports are known drop might be better. This applies to servers in a production environment.
0コメント