Re: IP Chains -- DENY or REJECT

From: Shaolin Tiger (shaolin@*no-*pgen*-spam*.net)
Date: 03/05/02

From: "Shaolin Tiger" <shaolin@*no-*pgen*-spam*.net>
Date: Mon, 4 Mar 2002 23:47:43 -0000

"Jonathan Angliss" <> wrote in message
> Hi All,
> Been playing with my ipchains rules, and foudn out something interesting.
> When running an nmap UDP port scan, it shows certain ports open (as
> expected, I've not blocked them yet). I put in a rule to block that
> port... ie:
> /sbin/ipchains -A input -p udp --dport 137 -j DENY
> Apply the new firewall, then rerun the scan... it *still* shows the port
> to be open... I change DENY to REJECT... and re-run the scan, and it
> reports that either the port is filtered, or not open (depending on the
> nmap scan I run). Which useage is correct, DENY or REJECT? I've seen
> people mentioning the use of DENY, but just the simple test I did shows
> DENY seems to be ineffective.
> I'm changing to iptables soon, when I get 5 mins to recompile the kernel
> as it doesn't seem to want to allow me to use iptables ;) Currently
> using a pretty standard RH7.1 installation. Any ideas on the above would
> be appreciated ;)
> -- Jon

Basically DENY sends a reply saying that access is denied to that port if it
is, REJECT totally ignores incoming packets so a scan wont know if it's open
or not.

REJECT is better generally IMHO as it denies all existent of the port to
the outside rule.

The only thing you cant reject is incoming pings as RFC states every machine
on the Internet must reply to a Ping.