On Tue, 1 Feb 2005, Rob Sterenborg wrote:
> netfilter-bounces@xxxxxxxxxxxxxxxxxxx wrote:
> > What is the basic diffrence between rejecting a packet & droping a
> > packet ?
> >
> > both denies the packet right ?
>
> Yes, but REJECT notifies the sender that the packet was not accepted,
> DROP silently discards the packet.
>
To add a tad bit of clarity to a clear explination;
telnet to a system with a firewall that rejects telnets and the connection
gets dropped right away with a message in the window something like
prohibited connection or remote host closed connection
telnet to a host that has a firewal that drops packets and the telnet
session hangs the terminal window until the telnet attempt itself times
out and drops to the command prompt again.
Sometimes it pays to be nice, like when blocking 113 ident ports and
placing a reject rather then a drop so sendmails will not hang endlessly
waiting for the ident reply or the session timeout prior t attempting to
send the e-mail.
Sometimes ya want the bonehead to hang as long as they are willing to hang
the terminal, like wiith telnets not allowed or ftp not allowed as ssh/scp
are just plain nicer protocols to use, and that fewl on the other end has
been banging the ports endlessly trying to bruteforce yer
userbase/passwd's...
Thanks,
Ron DuFresne
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
...Love is the ultimate outlaw. It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice. Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question. The words
"make" and "stay" become inappropriate. My love for you has no
strings attached. I love you for free...
-Tom Robins <Still Life With Woodpecker>
