Re: netfilter - do you DROP or REJECT?

From: James T (turajb_at__NOSPAM_hoflink.com)
Date: 11/28/04 

Date: Sat, 27 Nov 2004 21:21:17 -0500

On Sun, 21 Nov 2004 01:50:18 +0100, daniel hagen wrote:

> Howdy NG,
>
> I'd like to discuss your preferred way handling unaccepted
> packets in netfilter/ iptables. As I dealt with nmap
> these days I recognized that hiding is impossible anyway.
>
> If connections are DROPped it can be recognized
> as filtered. If connections are REJECTed the port is reported
> closed. In both cases connecting to the port is impossible.
>
> Not responding to PING is also no extra-security, cause
> if the requested host would not be online, the replying host
> would be told "destination unreachable".
>
> Did I get that right?
>
> So I decided to allow ping-replies and changed my rules
> from DROP to REJECT --reject-with *.
>
> How do you guys handle this stuff?
>
> Greetz
>
> Daniel

My rule for this situation is DROP all packets you want to block from the
IP, unless you have a very specific reason why you need to REJECT it.This
process simply protects the system better during DOS attacks.

This is what I do with my server's firewalls/iptables when I run my custom
scripts which tail/scan my logs every minute and block IPs which try to do
funny things to the system (like blocking IPs of those SSH worms which try
common login usernames/passwords). This process has helped defend our
servers against several DOS attacks & login dictionary attacks.

This is of course my 2 cents on the issue, and what you want to do is
totally up to you. This is however what I found out the hard way.

James

Relevant Pages
Quantcast