On Wed, Jul 25, 2001 at 01:38:19PM -0400, Jason Healy wrote: > > Are there any drawbacks to DENY? Is there a general consensus on this > > subject? > > In general, DENY is good because it does just what your friend says. > This also makes things like portscans more difficult, as they take > longer to complete (the scanner must timeout on all the ports, rather > than just getting back an instant 'closed' message).
There's definitely no consensus on this; it's largely a matter of personal taste. I generally believe that DENY is almost always the wrong thing to do. Sending back the port-unreachable ICMP packet (via the REJECT rule) is the polite thing to do, which I think makes for better netizenship. I don't see how making portscans take longer equates to making them more difficult to perform, as you (Jason) claim. REJECT results in the same behavior you'd get if there was no service listening on the port at all. That's usually what you're going for. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
pgpsnSQ6PwoSK.pgp
Description: PGP signature
