Re: [fw-wiz] Performance question Drop or Reject
- From: K K <kkadow@xxxxxxxxx>
- Date: Fri, 15 Jan 2010 10:56:11 -0600
On Wed, Jan 13, 2010 at 9:10 PM, Jason Lewis <jlewis@xxxxxxxxxxxxxxx> wrote:
Is there any performance difference between a Drop/Deny or Reject rules? IDK if it's relevant, but I'm using iptables. If there isn't performance hit between the two rules, is there anything else that might steer me towards picking one over the other?
Reject involves generating a new reply packet and transmitting it,
this does have a performance impact.
Drop is "faster", a drawback to drop is that the originating host is
likely to re-send the packet, so you'll just have to do the work
again. If your site is often the target of spoofed packets (e.g.
DDoS), then you would want to choose "drop".
IME, the #1 reason people chose "Drop" is that they like to see
"stealth" in their ShieldsUP! results :)
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- References:
- [fw-wiz] Performance question Drop or Reject
- From: Jason Lewis
- [fw-wiz] Performance question Drop or Reject
- Prev by Date: Re: [fw-wiz] Performance question Drop or Reject
- Next by Date: Re: [fw-wiz] Performance question Drop or Reject
- Previous by thread: [fw-wiz] Performance question Drop or Reject
- Next by thread: Re: [fw-wiz] Performance question Drop or Reject
- Index(es):
Relevant Pages
|
