[Dshield] firewall policy recomendations

John Sage jsage at finchhaven.com
Fri May 31 12:33:09 GMT 2002


When you DROP or DENY a packet it's as though it never reached your
system; it causes no more use of your resources than it takes for it
to come in on the wire and be -- well -- dropped on the floor.

When you REJECT a packet, generally your kernel is sending back an
ICMP port unreachable, which does cause your firewall system to
consume some resources for that process, but that process should be
completed quickly and the necessary resources returned to general
system availability...

When you send a DROP or a DENY, the theory is that the attacker's
system will sit in a wait state, waiting for a response, and possibly
send further SYN packets to the same port again, which are DROP'ped,
and he sits and waits...

Generally a REJECT is considered more "polite", personally, I DENY
anything I don't want to be receiving.


- John
"You are in a little maze of twisty passages, all alike."

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 

On Fri, May 31, 2002 at 10:08:11AM +0200, Graham K. Dodd wrote:
> What is the effect on the firewall / network when you tie up a probers
> attack ?
> Some of us don't even have a partial T1 and run on a minimum budget so we
> don't want to waste our resources just to annoy hackers who obviously has
> lot's of time to waste anyway..........
> BTW I'm not flaming Kenneth and his policies, I want to know whether I can
> adopt this sort of policy without affecting my companies "small, but very
> important" network.
> thanks,
> 	Graham
> -----Ursprüngliche Nachricht-----
> Von: list-admin at dshield.org [mailto:list-admin at dshield.org]Im Auftrag
> von Kenneth Porter
> Gesendet: Mittwoch, 29. Mai 2002 17:35
> An: DShield List
> Betreff: Re: [Dshield] firewall policy recomendations
> On Wed, 2002-05-29 at 07:01, Chad Albert wrote:
> > I am curious to know what most people on this list think is the best
> > practice when blocking traffic with a firewall.  I see many firewalls that
> > drop unwanted TCP packets, many that send a rst packet, some drop unwanted
> > UDP, and some send ICMP type 3 (destination unreachable).
> Drop anything you don't expect. That'll tie up a prober waiting for his
> SYN to be ACK'd, slowing down his scans.

More information about the list mailing list