Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Performance question Drop or Reject

From: "Paul D. Robertson" <paul () compuwar net>
Date: Sat, 16 Jan 2010 11:10:12 -0500 (EST)
On Fri, 15 Jan 2010, Paul Melson wrote:


The difference between DROP and REJECT in iptables is that DROP simply
discards the packet while REJECT discards the packet and sends an ICMP
host-unreachable response to the source IP.  You can also configure TCP
REJECT rules to respond with a TCP RST packet. There are several performance
and security considerations that should be weighed when setting up your
rules and deciding whether to DROP or REJECT.  


More properly, thaqt should be be an ICMP *destination* unreachable.  For 
TCP and UDP I'd expect to see code 3 (port unreachable) as the destination 
unreachable code (unless the source address is a broadcast or multicast 
address) although filters should give back code 9, 10 or 13.  Code 1 is 
host unreachable, and is generally only sent by routers.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
           Moderator: Firewall-Wizards mailing list
           Art: http://PaulDRobertson.imagekind.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: