iptables firewall default to drop instead of reject?

Horst von Brand vonbrand at inf.utfsm.cl
Sat Jan 21 23:17:21 UTC 2006


Jurgen Kramer <gtm.kramer at inter.nl.net> wrote:
> On Fri, 2006-01-20 at 19:20 -0300, Horst von Brand wrote:
> > Jurgen Kramer <gtm.kramer at inter.nl.net> wrote:
> > > I noticed that with FC5t2 the iptables firewall still has the -j REJECT
> > > --reject-with icmp-host-prohibited rule instead of a more secure -j
> > > DROP. 
> > > What is the reason behind this? 

> > DROP is extremely rude to the other end, which times out wondering what
> > happened to the stuff sent.

> Maybe rude but I think this is the default behavior for (most)
> commercial firewalls.

Simply broken. Get a better one.

>                       Most people will disable icmp echo replies on
> machines connected to the net so script kiddies won't find them easily
> but if the firewall just answers to every knock on any random port that
> won't help.

Yes, I have had to suffer at the hands of "security experts" that
configured their machines thusly, and so made their networks
"impenetrable"... Besides, you can set it up so that it uniformly answers,
without regard to having a real machine or not at that IP. Legitimate
(stray?) users aren't made to suffer for what to a medium-bright script
kiddie is at most a minor annoyance. I don't care if they can find out
through a sweep if there is something at a particular IP, there are
hundereds of other ways they can use to find out; I /do/ take care that
cracking said machines is not trivial, even if they are behind the firewall
(and most crackers sit there: Legitimate users have access, know their way
around, and are much more probable than the random teenager-in-the-basement
cliche to really want to get you; if they don't know how they can certainly
enlist specialist outside help...).
-- 
Dr. Horst H. von Brand                   User #22616 counter.li.org
Departamento de Informatica                     Fono: +56 32 654431
Universidad Tecnica Federico Santa Maria              +56 32 654239
Casilla 110-V, Valparaiso, Chile                Fax:  +56 32 797513




More information about the fedora-test-list mailing list