"Gareth Evans" <donots...@fastmail.fm> writes: > On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies <maxiestud...@gmail.com> > wrote: > >> drop and reject are not equivalent. > > Fair enough > > [...] >> In most cases it's a best practice to configure all chains with >> _policy drop_ and then add rules for the traffic that you want to >> allow > > All the nftables and PF howtos I have found take this approach. > > Why is it best practice? Is there any security advantage over rejection?
Not really, to me using DROP is a simplistic view not based in reality. https://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject covers the pros and cons reasonably with this conclusion: "DROP offers no effective barrier to hostile forces but can dramatically slow down applications run by legitimate users. DROP should not normally be used."
