iptables firewall default to drop instead of reject?

[Jurgen Kramer]

On Fri, 2006-01-20 at 19:20 -0300, Horst von Brand wrote:
> Jurgen Kramer <gtm.kramer at inter.nl.net> wrote:
> > I noticed that with FC5t2 the iptables firewall still has the -j REJECT
> > --reject-with icmp-host-prohibited rule instead of a more secure -j
> > DROP. 
> > What is the reason behind this? 
> 
> DROP is extremely rude to the other end, which times out wondering what
> happened to the stuff sent.
> 
Maybe rude but I think this is the default behavior for (most)
commercial firewalls. Most people will disable icmp echo replies on
machines connected to the net so script kiddies won't find them easily
but if the firewall just answers to every knock on any random port that
won't help.

> How would a nice error message back saying them they aren't allowed to do
> $WHATEVER be less secure than just letting them hang out to dry? The end
> result is the same...
> -- 
> Dr. Horst H. von Brand                   User #22616 counter.li.org
> Departamento de Informatica                     Fono: +56 32 654431
> Universidad Tecnica Federico Santa Maria              +56 32 654239
> Casilla 110-V, Valparaiso, Chile                Fax:  +56 32 797513
>