Block connection in firewall -

[Robert Nichols]

On 02/12/2016 03:34 PM, Rick Stevens wrote:
> On 02/12/2016 01:01 PM, Joe Zeff wrote:
>> On 02/12/2016 12:47 PM, Bob Goodwin wrote:
>>> Ok, I'll try adding that. Joe brings up the need to keep a route open to
>>> NTP, that presents another concern.
>>
>> Either that, or set up a local NTP server on a box that's not blocked.
>> Let that box sync to the rest of the net and have your LAN all sync to
>> it.
>
> Carrying that further, set up the firewall to block all incoming traffic
> initially and use "DROP" as the target--NOT "REJECT". The reason to use
> DROP is that "REJECT" actually returns a response to a probe which
> essentially says "Yeah, there's a machine here, but I'm not interested
> in you". That makes you a target for DDOS or script-kiddie break-in
> attempts. "DROP" just drops the packets with no response so your machine
> appears to not be there at all.

The lack of response means, "There's a machine here that is trying
not to be seen."  If there were really no machine at that address,
the upstream router would have sent back an ICMP "No route to host"
response.  Yes, I do DROP most of those incoming probes, but it's
just to avoid the effort to send a packet that would count, albeit
minimally, against my usage cap.  I'm not kidding myself that it
makes me more "invisible".

-- 
Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.