Re: iptables: DROP or REJECT?

From: Michael Zawrotny (zawrotny_at_sb.fsu.edu)
Date: 10/07/05


Date: 7 Oct 2005 13:08:38 GMT

On Thu, 06 Oct 2005 20:35:36 -0400, Lew Pitcher <lpitcher@sympatico.ca> wrote:
>
> Rossz wrote:
> >
> > One question, what is the better choice, DROP or REJECT, when an
> > unauthorized ip address attempts to connect? Why?
>
> However, because of this, DROP doesn't increase the number
> of packets traversing your interface, and (as a policy) reduces your exposure
> to black hats by minimizing your TCP/IP "profile".
>
> OTOH, REJECT discards the packet and sends an ICMP ERROR message back to the
> originator of the packet (in conformance with the requirements of the TCP/IP
> standards). However, because of this, REJECT increases the amount of traffic
> over your connection (because of all those ICMP ERROR packets it sends) and
> does nothing to minimize your profile.

It's not quite that simple. The tcp stack on the sender's machine may
wait, then send another syn packet, and possibly repeat several times.
In that case DROP may actually increase the incoming traffic.

In addition to the suggestions from other posters, you can keep
traffic down and minimize your profile by using REJECT with a "host
unreachable" type instead of the default "port unreachable". By doing
that it makes the sender think that either there is no machine there,
or that it is down completely. That of course is not true if you allow
ping through and they use that to test first.

Mike

-- 
Michael Zawrotny
Institute of Molecular Biophysics
Florida State University                | email:  zawrotny@sb.fsu.edu
Tallahassee, FL 32306-4380              | phone:  (850) 644-0069