[H-GEN] An iptables question ...

Robert Brockway robert at timetraveller.org
Thu Sep 19 08:10:26 EDT 2002 

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

On Thu, 19 Sep 2002, Tony Nugent wrote:

> >   $IPTABLES -I INPUT -p tcp -s ! x.y.z.0/24 --dport 80 -j DROP
>
> I realise that this is being very "picky", but I would personally
> not -j DROP these packets, but -j REJECT them instead.
>
> By default REJECT results in an ICMP port unreachable packet being
> generated (although with netfilter it is possible to specify what
> type of icmp reply is generated).
>
> DROP simply ignores the packet altogether (no icmp packets are
> generated).

Hi Tony.  Many security experts suggest using DROP rather than REJECT for
exactly the reasons you note.  If you use REJECT then the firewall will
send ICMP port unreachable (or optionally another ICMP code) whereas DROP
results in just silence at the remote end.  Using DROP is considered
preferable as it gives as little information as possible to the probing
machine[1].  It is particularly useful as it slows down many automated
probing scripts.  If they get a port unreachable response they move on
(launching the next probe on you or someone else), but if the just get
silence they have to wait to timeout.

[1] I understand what you're getting at with respect to revealing the
existance of the firewall.  It's important to remember that a DROP may
disguise the presence of a server since a firewall will typically drop
packets to any box in a subnet it protects, even those that don't exist or
aren't up.  So we disguise the existance of our servers at the expense of
revealing the presence of a firewall.  So with DROP on the firewall the
baddies will only find my server if they hit a port they have access to
(eg port 53 or 80), not just by hitting an arbitrary port or even pinging it.

In general I'll use DROP but there may still be occassions when REJECT is
preferable.

Cheers,
	-Rob

-- Robert Brockway B.Sc. email: robert at timetraveller.org  ICQ: 104781119
   Linux counter project ID #16440 (http://counter.li.org)
   "The earth is but one country and mankind its citizens" -Baha'u'llah


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/

More information about the General mailing list