[Firehol-support] Re: whitelisting
Daniel Pittman
daniel at rimspace.net
Fri Jul 16 10:23:43 BST 2004
On 16 Jul 2004, justice8 at wanadoo.fr wrote:
> Daniel Pittman a écrit :
>> On 16 Jul 2004, Daniel L. Miller wrote:
[...]
>> That depends. Firehol can do two things with packets: drop and reject.
>>
>> 'drop' means throw the packet away and do nothing more. A silent
>> failure, effectively, with no indication to the sender that anything
>> happened at all.
>>
>> 'reject' means to tell the sender that they were not permitted to
>> connect, which is much nicer to them.
>
> In a security point of view, it's better to drop instead of reject
> everything which is not welcomed from internet, in order to don't give
> any hints to a potential attacker.
If you drop, rather than reject, packets you don't conceal any
information.
You *do* make it considerably more slow for an attacker to scan your
system, unless they use a relatively aggressive tool, or something a
little more clever than simply waiting for a TCP timeout.
If you doubt this, try running an nmap scan against a host that drops
packets some time -- exactly the same information, and not all that much
slower.
Also, if you live somewhere that metered bandwidth costs you a lot,
using reject rather than drop prevents retransmissions of packets used
in connection attempts, which can represent a notable quantity of
traffic depending on your situation.
Regards,
Daniel
--
Trust the art, not the artist.
-- Bruce Springsteen
More information about the Firehol-support
mailing list