Thornton Prime <[EMAIL PROTECTED]> wrote:
> I forgot to mention, in general it is better to REJECT than DENY. REJECT
> responds to the source by telling them that the port is unreachable,
> wheras deny simply drops the packets entirely.
>
> If you are going to block access by protocol and port, then you should use
> REJECT, and it will appear that the service is simply not running. If you
> DENY, it will tip your hand that there is a firewall rule.
>
> If you want to hide your machine entirely from a foreign host, then it is
> appropriate to use DENY, but it is only effective if you block all access,
> not selected protocols or ports.
I have to disagree here. I've been a security / firewall administrator
for several years and the consensus among admins is to deny. All firewalls
that I use deny by default. In fact the only time I have ever used
reject is when I receive an ident/auth request. I reject these to avoid
delays in sending emails to servers that use ident/auth. Why help possible
attackers by letting them know immediately that a service is not running?
Roy
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
