Penetration Testing mailing list archives
Re: DROP or REJECT that is the question...
From: Chris Brenton <cbrenton () chrisbrenton org>
Date: Sat, 07 Apr 2007 11:02:43 -0400
On Wed, 2007-04-04 at 15:36 -0700, Thor (Hammer of God) wrote:
Reject typically sends a response saying it was rejected.
For most commercial firewalls, "reject" translates into: TCP stimulus = return a TCP RST/ACK everything else = ICMP type 3, code 10 (Host Admin prohibited) For the open source firewalls it varies. For example Netfilter defaults to port unreachables but it is also highly customizable.
If dropped, the user would not know if it was a firewall rule or if the ip/port was not available -
Actually, that's not completely true: Port open = SYN/ACK returned Port closed = RST/ACK returned Host is down = Type 3, code 1 (Dst host unreachable) Net is down = Type 3, code 0 (Dst net unreachable) Too many hops away = Type 11, code 0 (TimeX in transit) Firewall drop rule = no reply returned So the only time you would receive nothing back to a TCP stimulus is when a firewall is running with a drop rule. This very clearly informs the person doing the scan there is a firewall to contend with. Now its a matter of running tcptraceroute or firewalk (assuming there are accessible ports behind the device) to figure out it's IP address. This is why nmap records a lack of response as "filtered". Of course you mileage will vary with UDP.
From: "Mohamed Abdel Kader":I wanted to gather your opinions on whether firewall rules should be Dropped Or Rejected. To me I believe that both give away the firewall rules.
All depends on what you are trying to accomplish. Reject: * Only RFC acceptable method of filtering traffic * Assists in troubleshoot * Optimizes normal connectivity * Makes you less likely to have your address space spoofed in SYN floods Drop: * More investigation required to find firewall * Slows down most scanners (except nmap which actually runs faster than if "reject" is used) * Slightly less traffic overhead IMHO I don't see either one being better than the other. Every environment has different requirements. HTH, Chris ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- DROP or REJECT that is the question... Mohamed Abdel Kader (Apr 04)
- Re: DROP or REJECT that is the question... Paul Melson (Apr 04)
- Re: DROP or REJECT that is the question... Tim (Apr 06)
- Re: DROP or REJECT that is the question... Tim (Apr 08)
- Re: DROP or REJECT that is the question... Tim (Apr 06)
- Re: DROP or REJECT that is the question... Isaac Perez (Apr 06)
- Re: DROP or REJECT that is the question... Jamie Riden (Apr 06)
- <Possible follow-ups>
- Re: DROP or REJECT that is the question... Thor (Hammer of God) (Apr 04)
- Re: DROP or REJECT that is the question... Chris Brenton (Apr 08)
- FW: DROP or REJECT that is the question... Bryan_McAninch (Apr 06)
- Re: DROP or REJECT that is the question... Paul Melson (Apr 04)