Re: iptables: DROP or REJECT?

From: Michael Zawrotny (zawrotny_at_sb.fsu.edu)
Date: 10/07/05


Date: 7 Oct 2005 13:08:38 GMT

On Thu, 06 Oct 2005 20:35:36 -0400, Lew Pitcher <lpitcher@sympatico.ca> wrote:
>
> Rossz wrote:
> >
> > One question, what is the better choice, DROP or REJECT, when an
> > unauthorized ip address attempts to connect? Why?
>
> However, because of this, DROP doesn't increase the number
> of packets traversing your interface, and (as a policy) reduces your exposure
> to black hats by minimizing your TCP/IP "profile".
>
> OTOH, REJECT discards the packet and sends an ICMP ERROR message back to the
> originator of the packet (in conformance with the requirements of the TCP/IP
> standards). However, because of this, REJECT increases the amount of traffic
> over your connection (because of all those ICMP ERROR packets it sends) and
> does nothing to minimize your profile.

It's not quite that simple. The tcp stack on the sender's machine may
wait, then send another syn packet, and possibly repeat several times.
In that case DROP may actually increase the incoming traffic.

In addition to the suggestions from other posters, you can keep
traffic down and minimize your profile by using REJECT with a "host
unreachable" type instead of the default "port unreachable". By doing
that it makes the sender think that either there is no machine there,
or that it is down completely. That of course is not true if you allow
ping through and they use that to test first.

Mike

-- 
Michael Zawrotny
Institute of Molecular Biophysics
Florida State University                | email:  zawrotny@sb.fsu.edu
Tallahassee, FL 32306-4380              | phone:  (850) 644-0069


Relevant Pages

  • Move your PGP keyring files to your encrypted drive. If using PGP 5 or 6, chec
    ... Packet ID Logging ... If Folder is selected, mail retrieved from this profile will be saved ...
    (sci.crypt)
  • Re: SNAPPED! Koxx Devil...
    ... pringles dont brag when they change the colour of the packet either... ... brendan's Profile: http://www.unicyclist.com/profile/13680 ... Posted Via Usenet.com Premium Usenet Newsgroup Services ...
    (rec.sport.unicycling)
  • Re: ICMP pokes holes in firewalls...
    ... >> There's also a general problem here, ... >> not allow more than one ICMP error message back in. ... a single packet may cause multiple legitimate ICMP errors. ... I have to wonder whether or not you read the OpenBSD source code before ...
    (Bugtraq)
  • [UNIX] Linux NetFilter NAT/ICMP Code Information Leak
    ... first packet of a connection is hitting a NAT rule, ... the NAT box itself to reply with an ICMP error message, ... They are working on a new patch. ... included in the Linux kernel source. ...
    (Securiteam)
  • Re: nmap 113/auth on shorewall
    ... The assumption is that you are running nmap from some remote location. ... use a packet sniffer on the remote system you ... Compare that response with a legitimate ICMP error generated by ...
    (comp.os.linux.security)