[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Drop vs Reject
Devon Harding - GTHLA escribió: > > What is the main difference between Drop and Reject? "Drop" let the packet fall to the floor to be cleaned up by the janitor. Think of a smoker discarding their butts... once they've left the hand they no longer exist. "Reject" sends a message back to the source IP stating that the packet has been rejected and letting your potential hacker know he's got a firewall to penetrate. For this reason, most services are better dropped. A few should be sent back to stop inordinate delays on the other end, but its Friday afternoon and I can't recall which ones exactly. "Identd" is one if you need to access a popserver outside the firewall. Personal recomendation is don't use access a pop server outside the firewall unless you have intelligent users who aren't going to set all their passwords to their pets names. (All pop passwords are sent in clear text). Some people say "Rejecting" is also nicer for your legitimate clients because they will keep retransmitting packets until the timeout is reached. Personally I don't reckon your legitimate clients should be trying to access closed ports on your firewall, so drop everything. It depends if you want to be nice or safe. Have a look at: http://lists.debian.org/debian-firewall/2002/debian-firewall-200204/msg00097.html and follow the thread to get both sides of the argument. Regards Matt -- Informática, Telecomunicacions y Sistemas, S.A. Avda. El condor 720 http://www.its.cl Ciudad Empresarial Huechuraba Santiago, Chile Matt Sheumack Tel: (56 2) 738 4959 Jefe de Proyecto Fax: (56 2) 738 4203 [email protected] ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|