Re: [Shorewall-users] DROP vs. REJECT

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

>> I've been reading about DROP vs. REJECT and some are saying that DROP
>> causes problems without any benefit.  Do you guys agree?  Should DROP
>> normally not be used at all?
>
> DROP is perfectly acceptable as a default policy for traffic from the
> internet. Shorewall's "default DROP action" (action.Drop) get applied
> before a packet is actually dropped, ensuring that traffic that it is
> potentially harmful to DROP is handled properly.
>
> DROP isn't particularly friendly for traffic that originates behind your
> firewall -- for that traffic, REJECT is a better choice.

What is the advantage of using DROP?  Is it supposed to leave the
requester wondering whether or not there is a service running at that
location?

- Grant