From: Grant <ema...@gm...> - 2009-01-22 22:56:30
|
>> I've been reading about DROP vs. REJECT and some are saying that DROP >> causes problems without any benefit. Do you guys agree? Should DROP >> normally not be used at all? > > DROP is perfectly acceptable as a default policy for traffic from the > internet. Shorewall's "default DROP action" (action.Drop) get applied > before a packet is actually dropped, ensuring that traffic that it is > potentially harmful to DROP is handled properly. > > DROP isn't particularly friendly for traffic that originates behind your > firewall -- for that traffic, REJECT is a better choice. What is the advantage of using DROP? Is it supposed to leave the requester wondering whether or not there is a service running at that location? - Grant |