iptables SECURITY - default settings
Ted Kaczmarek
tedkaz at optonline.net
Fri Sep 17 00:03:18 UTC 2004
On Thu, 2004-09-16 at 19:36, Jack Bowling wrote:
> On Thu, Sep 09, 2004 at 11:34:29PM +0200, Alexander Dalloz wrote:
> > Am Do, den 09.09.2004 schrieb Wal um 23:04:
> >
> > > I am suggesting a more secure default setting-
> >
> > > -I SecLev505-INPUT -p all -j DROP
> >
> > > Alternately (with possible issue when rules actually get applied)-
> >
> > > -A SecLev505-INPUT -p all -j DROP
> >
> > I would heavily dislike a default DROP rule setup with iptables. There
> > is a long discussion about DROP versus REJECT in the firewall forums,
> > and I follow the arguments for REJECTing. One reason which affects users
> > of Fedora: a DROP policy / default rule makes it much harder for anyone
> > and especially less experienced users to down track problems cause by
> > firewalling with no real gain on the other side. It is and stays a myth
> > that DROPing pakets makes a system invisible for attackers (buzzword
> > "stealth mode" in PFW products). For the majority of users a feedback in
> > form of an ICMP port unreachable is most useful.
>
> Your argument in favor of REJECT falls apart in a DDoS situation. Having
> the kernel drop packets rather than fire off REJECT messages in response to
> every packet is much more efficient.
>
> --
> Jack Bowling
> mailto: jbinpg at shaw.ca
Generating reject's would consume much more resources than dropping the
packets.
What "firewall" forum's are you looking at?
I know many firewall professionals and not one of them prefers to send
and unreachable if they don't have to.
Ted
More information about the test
mailing list