[techtalk] Default Deny

Brian Engle bengle at fti-net.com
Thu Jan 27 17:08:25 EST 2000


I figured I wasn't quite on target with that description, I just couldn't
think of a way to phrase it....

there are several different arguements for and against stateful(REJECT) and
stateless(DENY) firewalls, and many other many other mailing lists used to
debate which is better/worse and why.....

I find REJECT to be convenient for my situation, a 2 node home network, my
linux machine and my wife's windows machine, linux box doing
firewalling/masquerading so that she can get on the internet as well....one
thing I like about the state firewall is the output an nmap scan gives when
it scans my IP from the outside....basically it reports every port "open"
with "(State Firewalled)" next to it, so you can't really tell if I've got
any ports open or not....I suppose if I actually opened the firewall up for
HTTP access or something, the scan would look different, but I'm not really
ready to do something like that yet....

I'm not sure what sort of output nmap gives for when it receives a DENY,
though, but I find REJECT gives anyone scanning/connecting to my box the
general idea that I don't really want them doing that, whereas a DENY could
give them the impression that they can, just not on the port they were
trying...maybe I'm just too uptight about my security (if that's possible):)


Brian

> 
> Not quite. The difference between REJECT and DENY is that REJECT sends
> an ICMP response back to the source of an incoming packet 
> saying that it
> was rejected, whereas DENY just completely ignores it. Trying 
> to connect
> to a machine that is DENYing packets should be like connecting to a
> black hole (it will retry for up to several minutes before giving up,
> unless the user does a ^C), whereas with REJECT you should get
> connection refused messages.
> 
> I'm of two different minds as to whether REJECT or DENY is better -
> depends on circumstances really. REJECT is more polite if somebody is
> making an unmalicious attempt to connect - it tells them straight away
> that the connection has been refused. On the other hand, if 
> somebody is
> trying a denial of service attack on you then at least with a 
> DENY rule
> you're not filling up your outbound bandwidth as well 
> responding to it.
> 
> [note: following is speculation and shouldn't be taken as gospel]
> 
> Using DENY probably will eliminate one way of using you as a DoS relay
> as well - they can't send you packets with the source address 
> spoofed to
> be that of their target and get your system to hit them with rejection
> packets in response.
> 
> Anyway, my home system does DENYs on most ports, but on certain ones
> (113/auth, 23/telnet, 7/echo) it does REJECTs - there are some
> legitimate services that try and connect back to some of 
> these, (eg IRC
> servers do an auth lookup when you connect) and connections 
> go faster if
> these get refused straight away.
> 
> One last thing - having a REJECT rule for packets not destined to you
> (ie, on some systems I have a rule telling it to ignore some broadcast
> traffic) is probably broken behaviour. I don't think a machine sending
> out DHCP requests for example is supposed to receive REJECTs 
> coming back
> from some random machine which isn't even a DHCP server :-)
> 
> --
> Phone: +64-9-373-7599 x4679     Room: 2.316, School of Engineering
>  Work: jj.walker at auckland.ac.nz Home: jamiew at clear.net.nz
>   ICQ: 5632563			or shout loudly
> 
> ************
> techtalk at linuxchix.org   http://www.linuxchix.org
> 

************
techtalk at linuxchix.org   http://www.linuxchix.org




More information about the Techtalk mailing list