[techtalk] Default Deny

Jamie Walker jj.walker at auckland.ac.nz
Fri Jan 28 10:30:43 EST 2000

Brian Engle wrote:

> REJECT is a little different than DENY in that rejecting it just looks at
> the originating IP, sees if it's allowed, if not, connection closed...if
> telnet traffic is rejected and someone tries to telnet, the client almost
> immediately sends the message "Connection Refused." whereas if the rule is
> set to DENY, it takes a little longer to respond and the output is usually
> something like "Connection Closed by Foreign/Remote Host" which leads me to
> believe that the connection was opened, it checked to see if it was allowed,
> when it's not, it immediately closes the connection. I know it's getting
> down to semantics, but REJECT checks before the connection is even
> established, DENY establishes a connection before checking...if you're using
> the firewall for security purposes (what other reason is there to have a
> firewall?) then I would go with REJECT, but in the end, it's up to the user
> I suppose....

Not quite. The difference between REJECT and DENY is that REJECT sends
an ICMP response back to the source of an incoming packet saying that it
was rejected, whereas DENY just completely ignores it. Trying to connect
to a machine that is DENYing packets should be like connecting to a
black hole (it will retry for up to several minutes before giving up,
unless the user does a ^C), whereas with REJECT you should get
connection refused messages.

I'm of two different minds as to whether REJECT or DENY is better -
depends on circumstances really. REJECT is more polite if somebody is
making an unmalicious attempt to connect - it tells them straight away
that the connection has been refused. On the other hand, if somebody is
trying a denial of service attack on you then at least with a DENY rule
you're not filling up your outbound bandwidth as well responding to it.

[note: following is speculation and shouldn't be taken as gospel]

Using DENY probably will eliminate one way of using you as a DoS relay
as well - they can't send you packets with the source address spoofed to
be that of their target and get your system to hit them with rejection
packets in response.

Anyway, my home system does DENYs on most ports, but on certain ones
(113/auth, 23/telnet, 7/echo) it does REJECTs - there are some
legitimate services that try and connect back to some of these, (eg IRC
servers do an auth lookup when you connect) and connections go faster if
these get refused straight away.

One last thing - having a REJECT rule for packets not destined to you
(ie, on some systems I have a rule telling it to ignore some broadcast
traffic) is probably broken behaviour. I don't think a machine sending
out DHCP requests for example is supposed to receive REJECTs coming back
from some random machine which isn't even a DHCP server :-)

Phone: +64-9-373-7599 x4679     Room: 2.316, School of Engineering
 Work: jj.walker at auckland.ac.nz Home: jamiew at clear.net.nz
  ICQ: 5632563			or shout loudly

techtalk at linuxchix.org   http://www.linuxchix.org

More information about the Techtalk mailing list