NAK dropped SYN-packets to sender?

["Frank Heinzius" <frimp () mms de>]

Hi wiz´,

our Firewall normally silently drops unauthorized packets from the 
Internet. It it also possible to send back an ICMP unrechable to the 
originator.

Both methods have their advantage: silent dropping gives you an 
additional kinda "security by obscurity" level. The disadvantage is that 
TCP stacks from the originator will do a couple of retransmits due to the 
timeouts.
If I sent ICMP unreachable, the attacker knows that there is a firewall 
mechanism which make port scans very fast (if based on SYN-ACK). On the 
other hand, I don´t have to deal with retransmits.

What is the common and/or most recommended way?



Kind Regards / Mit freundlichen Gruessen,

--
Frank M. Heinzius               MMS Communication AG
mailto:frimp () mms de             Eiffestrasse 598
http://www.mms.de               20537 Hamburg, Germany
Phone: +49 40 211105-40         Fax: +49 40 210 32 210
-- spam forbidden --            -- PGP key available --