-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 30 Nov 2002 18:22:51 -0800 (PST), David Durst wrote: > > As for the "taking more resources", the default policy only > > determines how you set up your rules, it doesn't have any inherent > > affect on resource usage. You are likely referring to the difference > > between the REJECT and DROP targets. Indeed, REJECT takes more > > resources since the firewall box has to send a reply back to the > > sender for every rejected packet., whereas DROP does just that - > > drops the packet on the floor without a return reply packet. In a > > DDoS situation, it is clear that a DROP policy will lead to a > > lighter load on the box than would using a REJECT target. > > Sorry dude, but the last time I looked into it if a FW is configured > correctly for the system then it shouldn't if you use DROP or ACCEPT > as far as security goes. Typo? ...shouldn't... => ...shouldn't matter...? Somewhere in the packet filter you must DROP packets unless you want to permit everything. A default policy of DROP is like a catch-all rule at the end of each chain which drops everything that hasn't been accepted earlier. > Secondly yes it does take more resources to DROP packets on ports that > nothing is running on. No. If you leave unused ports open, by default the machine would send reply packets. > Also a default DROP and or REJECT could > cause alot of user issues on the other side of the FW in other words > it is much harder to configure for passive FTP w/ a default DROP. A default policy of REJECT is not possible. And of course, with a default policy of DROP you would ACCEPT outgoing connections to FTP control and data ports and make use of stateful filtering and connection tracking. Doesn't take much to allow passive and active FTP. What you write here is contradictory. Default policies of ACCEPT with catch-all DROP rules at the end of every chain would be as secure as default policies of DROP. Configuring the FW to let through FTP would be done in the same way with both FW architectures. However, if you say that a FW is "much harder to configure for passive FTP" when it uses default policies of DROP, that means, you don't use catch-all rules, and therefore your FW is less secure (because it accepts everything which doesn't get dropped/rejected explicitly). > If you still think a default DROP is the way to go for you go for it, > all I was offering was a explination of why many think a default > accept is better. I doubt that "many" think that. A default policy of DROP is generally considered more secure because it forces the administrator to open up specific holes in the FW. The FW would drop everything else. On the contrary, you leave everything open and try to close specific ports and protocols. This is error-prone because it is easy to overlook something unless you place catch-all DROP-rules at the end of every chain. But judging from your comment on passive FTP, it seems you don't. - -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) iD4DBQE96Xiq0iMVcrivHFQRAmXAAJ43VQergOH87zIrd+vlN+o6XynXGgCYgG/r f02ThiR03UImeoYAjmp2fg== =E7fb -----END PGP SIGNATURE----- -- Psyche-list mailing list Psyche-list@redhat.com https://listman.redhat.com/mailman/listinfo/psyche-list
