Monday, 14 September 2009

Drop versus reject

« The house building process | Main | Gentoo versus Ubuntu »

Contemplating the firewall configuration of my home machine, it occurs to me that rejecting packets is likely more secure than dropping them (as to render more difficult IP spoofing).

Posted by james at 10:22 PM in Tools and Programming

Responses (3)

[Trackback URL for this entry]

Comment: Hervé Debar at Tue, 15 Sep 7:39 AM

I think that it also helps to avoid timeout retries on some connections, so it generally helps performance.

Comment: Eliav at Tue, 15 Sep 2:16 PM

Proposed Summary: offers no effective barrier to hostile forces but can dramatically slow down applications run by legitimate users. DROP should not normally be used.

Comment: Eliav at Tue, 15 Sep 2:17 PM

From another blooog: Summary: DROP offers no effective barrier to hostile forces but can dramatically slow down applications run by legitimate users. DROP should not normally be used.

Your comment:

Author (*):

E-mail:

(not displayed)

URL:

Comment (*):

Remember me?

Live Comment Preview:

« September »
Sun	Mon	Tue	Wed	Thu	Fri	Sat
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30

About:

James Riordan

Syndication:

XML RSS ATOM

unsyntax.net

musing on the miscellaneous