drop and reject are not equivalent.
with _reject with icmpx_ you get an icmp response when trying to
access a system and get blocked by the firewall.
with _policy drop_ packets that are not allowed just get silently
dropped and don't give any feedback to the source.
In most cases it's a best practice to configure all chains with
_policy drop_ and then add rules for the traffic that you want to
allow (there are some exceptions but for normal workstations I would
always start with policy drop). For machines that are not exposed to
the internet I also like to configure a reject at the bottom of all
chains, it helps a lot when debugging networking problems to know if
you are getting blocked by the firewall
El mar, 12 jul 2022 a las 1:27, Gareth Evans (<donots...@fastmail.fm>) escribió:
>
> On Sun 10 Jul 2022, at 06:25, Gareth Evans <donots...@fastmail.fm> wrote:
>
> > Thanks Roger, that also suggests "policy drop" in its nftables examples.
>
> As someone on firewalld-users kindly pointed out, there is
>
> > table inet firewalld {
> > chain filter_INPUT {
> [...]
> > reject with icmpx admin-prohibited <--- catch-all reject
> > }
>
> which seems equivalent to ufw's qualified "policy drop".
>
> Panic over.
> G
>
--
Maximiliano Estudies
VDT Referat Beschallung
+49 176 36784771
omslo.com
maxiestudies.com
