Re: [fw-wiz] Performance question Drop or Reject

On Wed, Jan 13, 2010 at 9:10 PM, Jason Lewis <jlewis@xxxxxxxxxxxxxxx> wrote:
Is there any performance difference between a Drop/Deny or Reject rules?  IDK if it's relevant, but I'm using iptables.   If there isn't performance hit between the two rules, is there anything else that might steer me towards picking one over the other?

Reject involves generating a new reply packet and transmitting it,
this does have a performance impact.

Drop is "faster", a drawback to drop is that the originating host is
likely to re-send the packet, so you'll just have to do the work
again. If your site is often the target of spoofed packets (e.g.
DDoS), then you would want to choose "drop".

IME, the #1 reason people chose "Drop" is that they like to see
"stealth" in their ShieldsUP! results :)
firewall-wizards mailing list