Re: Performance question Drop or Reject

[K K <kkadow () gmail com>]

On Wed, Jan 13, 2010 at 9:10 PM, Jason Lewis <jlewis () packetnexus com> wrote:
> Is there any performance difference between a Drop/Deny or Reject rules?  IDK if it's relevant, but I'm using 
> iptables.   If there isn't performance hit between the two rules, is there anything else that might steer me towards 
> picking one over the other?

Reject involves generating a new reply packet and transmitting it,
this does have a performance impact.

Drop is "faster", a drawback to drop is that the originating host is
likely to re-send the packet, so you'll just have to do the work
again. If your site is often the target of spoofed packets (e.g.
DDoS), then you would want to choose "drop".

IME, the #1 reason people chose "Drop" is that they like to see
"stealth" in their ShieldsUP! results :)
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards