> As for the "taking more resources", the default policy only determines > how you set up your rules, it doesn't have any inherent affect on > resource usage. You are likely referring to the difference between the > REJECT and DROP targets. Indeed, REJECT takes more resources since the > firewall box has to send a reply back to the sender for every rejected > packet., whereas DROP does just that - drops the packet on the floor > without a return reply packet. In a DDoS situation, it is clear that a > DROP policy will lead to a lighter load on the box than would using a > REJECT target. Sorry dude, but the last time I looked into it if a FW is configured correctly for the system then it shouldn't if you use DROP or ACCEPT as far as security goes. Secondly yes it does take more resources to DROP packets on ports that nothing is running on. Also a default DROP and or REJECT could cause alot of user issues on the other side of the FW in other words it is much harder to configure for passive FTP w/ a default DROP. If you still think a default DROP is the way to go for you go for it, all I was offering was a explination of why many think a default accept is better. -- Psyche-list mailing list Psyche-list@redhat.com https://listman.redhat.com/mailman/listinfo/psyche-list
