Re: DROP or REJECT - Chris Brenton

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Chris Brenton <cbrenton@chrisbrenton.org>
To: Peter Marshall <peter.marshall@caris.com>
Cc: netfilter <netfilter@lists.netfilter.org>
Subject: Re: DROP or REJECT
Date: Tue, 11 May 2004 13:16:03 -0400	[thread overview]
Message-ID: <1084295762.1965.8.camel@grendel> (raw)
In-Reply-To: <163801c4375e$49bb6d50$49caa8c0@caris.priv>

On Tue, 2004-05-11 at 09:45, Peter Marshall wrote:
> Which is better (to drop or reject packets)?  I am asking more
> specifically for connections from the internet to my external
> firewall.

Depends. I like rejecting with host-unreachables as it makes it look
like you do not have a firewall. It also has the ability to shut down
certain scanning tools before they can find exposed ports.

Some worry this could be a potential DoS situation. If you are worried
about this you can combine it with rate limiting.

> My second question is if I have a DNS in my DMZ (contains only ip's in
> my dmz.  internal boxes use this as their DNS.  This DNS falls back to
> my ISP), do I have to allow both TCP and UDP connections on port 53 ? 
> Can I not just have UDP, or does it use both ? 

Again, it depends. Queries use UDP/53 _unless_ the answer exceeds a 512
byte packet size. If it does, the connection can switch over to TCP/53. 

So, outbound you need TCP and UDP. Inbound to your DNS server, it
depends if you answers will exceed this maximum. If not, you only need
to permit UDP/53 from the Internet in general, and TCP/53 only from
servers (if any) that are acting as secondaries.

HTH,
Chris

next prev parent reply	other threads:[~2004-05-11 17:16 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-05-11 13:45 DROP or REJECT Peter Marshall
2004-05-11 13:52 ` Frank Gruellich
2004-05-11 17:16 ` Chris Brenton [this message]
2004-05-11 18:17   ` Frank Gruellich
2004-05-11 22:15     ` Chris Brenton
2004-05-11 18:38   ` Marc Haber
2004-05-11 22:19     ` Chris Brenton
  -- strict thread matches above, loose matches on Subject: below --
2002-10-11  5:28 Fw: How to remove Established Connection HareRam
2002-10-11  8:16 ` HareRam
2002-10-11  9:15   ` Michael
2002-10-11 12:30     ` Antony Stone
2002-10-11 14:03       ` HareRam
2002-10-11 16:15         ` DROP or REJECT HareRam

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1084295762.1965.8.camel@grendel \
    --to=cbrenton@chrisbrenton.org \
    --cc=netfilter@lists.netfilter.org \
    --cc=peter.marshall@caris.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.