Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Drop vs Reject

To: [email protected]
Subject: Re: [FW-1] Drop vs Reject
From: Matt Sheumack <[email protected]>
Date: Fri, 12 Jul 2002 16:29:48 -0400
Organization: ITS SA
References: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Devon Harding - GTHLA escribió:
>
> What is the main difference between Drop and Reject?

"Drop"  let the packet fall to the floor to be cleaned up by the janitor.
Think of a smoker discarding their butts... once they've left the hand
they no longer exist.

"Reject" sends a message back to the source IP stating that the packet
has been rejected and letting your potential hacker know he's got a
firewall to penetrate.

For this reason, most services are better dropped.

A few should be sent back to stop inordinate delays on the other end,
but its Friday afternoon and I can't recall which ones exactly. "Identd"
is one if you need to access a popserver outside the firewall. Personal
recomendation is don't use access a pop server outside the firewall
unless you have intelligent users who aren't going to set all their
passwords to their pets names. (All pop passwords are sent in clear
text).

Some people say "Rejecting" is also nicer for your legitimate clients
because they will keep retransmitting packets until the timeout is
reached. Personally I don't reckon your legitimate clients should be
trying to access closed ports on your firewall, so drop everything.

It depends if you want to be nice or safe.

Have a look at:

http://lists.debian.org/debian-firewall/2002/debian-firewall-200204/msg00097.html

and follow the thread to get both sides of the argument.

Regards

Matt
--
Informática, Telecomunicacions y Sistemas, S.A.
Avda. El condor 720                     http://www.its.cl
Ciudad Empresarial Huechuraba
Santiago, Chile                         Matt Sheumack
Tel: (56 2) 738 4959                    Jefe de Proyecto
Fax: (56 2) 738 4203                    [email protected]

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- [FW-1]
  - From: Randy Barasi <[email protected]>

References:
- [FW-1] Drop vs Reject
  - From: Devon Harding - GTHLA <[email protected]>

Prev by Date: Re: [FW-1] Drop vs Reject
Next by Date: [FW-1] Secure Client problems ...
Previous by thread: Re: [FW-1] Drop vs Reject
Next by thread: [FW-1]
Index(es):
- Date
- Thread