Re: ipchains rules: REJECT vs. DENY

Tue, 31 Jul 2001 14:26:42 -0500 

on Wed, Jul 25, 2001 at 02:32:51PM -0400, Noah Meyerhans ([EMAIL PROTECTED]) 
wrote:
> On Wed, Jul 25, 2001 at 01:38:19PM -0400, Jason Healy wrote:
> > > Are there any drawbacks to DENY?  Is there a general consensus on this
> > > subject?
> > 
> > In general, DENY is good because it does just what your friend says.
> > This also makes things like portscans more difficult, as they take
> > longer to complete (the scanner must timeout on all the ports, rather
> > than just getting back an instant 'closed' message).
> 
> There's definitely no consensus on this; it's largely a matter of
> personal taste.  I generally believe that DENY is almost always the
> wrong thing to do.  Sending back the port-unreachable ICMP packet (via
> the REJECT rule) is the polite thing to do, which I think makes for
> better netizenship.  I don't see how making portscans take longer
> equates to making them more difficult to perform, as you (Jason)
> claim.

The benefits are twofold:

  - For a two-stage scan, DENY gives the appearance of an unpopulated
    IP, you're never hit by the second stage of the scan.

  - For automated netblock sweeps, DENY causes the remote (scanning)
    host to time out on each port.  In a netblock that's composed
    largely of hosts with deny policies, a scan will take significantly
    longer.  This means the black hat has to devote more resources
    (time, hardware, both) to the scan.

My own firewall drops all blocked ports, with the one discretionary
exception of 113 (authentication service).  This is used by some mail
transports.  Actually, I deny this too, though I've got the 'REJECT'
line commented in my IP filtering ruleset.  A full nmap scan (1024
ports) on the box takes several minutes.

This reject/deny policy comes from the book _Building Linux and OpenBSD
Firewalls_, recommended.

-- 
Karsten M. Self <kmself@ix.netcom.com>      http://kmself.home.netcom.com/
 What part of "Gestalt" don't you understand?         There is no K5 cabal
  http://gestalt-system.sourceforge.net/           http://www.kuro5hin.org
Free Dmitry!! Boycott Adobe!! Repeal the DMCA!!  http://www.freedmitry.org

Attachment: pgpF1rsPe6juY.pgp
Description: PGP signature

Reply via email to