[Firehol-support] Re: whitelisting

Daniel Pittman daniel at rimspace.net
Fri Jul 16 11:23:43 CEST 2004


On 16 Jul 2004, justice8 at wanadoo.fr wrote:
> Daniel Pittman a écrit :
>> On 16 Jul 2004, Daniel L. Miller wrote:

[...]

>> That depends. Firehol can do two things with packets: drop and reject.
>>
>> 'drop' means throw the packet away and do nothing more. A silent
>> failure, effectively, with no indication to the sender that anything
>> happened at all.
>>
>> 'reject' means to tell the sender that they were not permitted to
>> connect, which is much nicer to them.
>
> In a security point of view, it's better to drop instead of reject
> everything which is not welcomed from internet, in order to don't give
> any hints to a potential attacker.

If you drop, rather than reject, packets you don't conceal any
information.

You *do* make it considerably more slow for an attacker to scan your
system, unless they use a relatively aggressive tool, or something a
little more clever than simply waiting for a TCP timeout.

If you doubt this, try running an nmap scan against a host that drops
packets some time -- exactly the same information, and not all that much
slower.


Also, if you live somewhere that metered bandwidth costs you a lot,
using reject rather than drop prevents retransmissions of packets used
in connection attempts, which can represent a notable quantity of
traffic depending on your situation.

Regards,
        Daniel
-- 
Trust the art, not the artist.
        -- Bruce Springsteen





More information about the Firehol-support mailing list