[lug] IP Tables

[Nate Duehr]

Kevin Fenzi wrote:

> reject tells it: "sorry, rejected". It could of course keep trying
> anyhow, but any well behaved app would stop trying. 

And since most firewalls are protecting against badly behaved people and 
apps... DROP is almost always more appropriate.  :-)

In a REJECT, your machine HAS to respond.  This can be used as an 
amplifier for a DDoS -- assuming that your upstream and downstream 
speeds to the Net are the same (they're usually not anymore, of course), 
then the attacker can both fill your incoming and outgoing bandwidth up 
at the same time with one packet stream.

With DROP, they can only fill your incoming pipe.  Your machine never 
replies.

Additionally *if* your ISP were to allow a spoofed source address to 
make it to your machine, the REJECT's could be going to a third-party 
machine who'd follow the trail back to you.

With DROP, you can't be used in that way.

(And while it's rare anymore for ISP's to route anything that's not in 
their address ranges, some might... and spoofed addresses could reach 
your box.)

For most folks, a home connection is slow enough that any serious 
attacker attempting a DDoS on you is going to crush your bandwidth, but 
using you as a DDoS amplifier by messing with where your REJECT's go, is 
one reason not to use REJECT, and to just DROP it if you don't want it.

REJECT is from the days when the Internet was still a polite place with 
reasonable people.

That's my opinion anyway...

Nate