Penetration Testing mailing list archives

Re: DROP or REJECT that is the question...

From: Chris Brenton <cbrenton () chrisbrenton org>
Date: Sat, 07 Apr 2007 11:02:43 -0400

On Wed, 2007-04-04 at 15:36 -0700, Thor (Hammer of God) wrote:


Reject typically sends a response saying it was rejected.


For most commercial firewalls, "reject" translates into:
TCP stimulus = return a TCP RST/ACK
everything else = ICMP type 3, code 10 (Host Admin prohibited)

For the open source firewalls it varies. For example Netfilter defaults
to port unreachables but it is also highly customizable.

If dropped, the user would not know if it was a firewall rule or if the 
ip/port was not available -


Actually, that's not completely true:
Port open = SYN/ACK returned
Port closed = RST/ACK returned
Host is down = Type 3, code 1 (Dst host unreachable)
Net is down = Type 3, code 0 (Dst net unreachable)
Too many hops away = Type 11, code 0 (TimeX in transit)
Firewall drop rule = no reply returned

So the only time you would receive nothing back to a TCP stimulus is
when a firewall is running with a drop rule. This very clearly informs
the person doing the scan there is a firewall to contend with. Now its a
matter of running tcptraceroute or firewalk (assuming there are
accessible ports behind the device) to figure out it's IP address. This
is why nmap records a lack of response as "filtered".

Of course you mileage will vary with UDP.

From: "Mohamed Abdel Kader":


I wanted to gather your opinions on whether firewall rules should be 
Dropped Or Rejected. To me I believe that both give away the firewall
rules.


All depends on what you are trying to accomplish. 

Reject:
* Only RFC acceptable method of filtering traffic
* Assists in troubleshoot
* Optimizes normal connectivity
* Makes you less likely to have your address space spoofed in SYN floods

Drop:
* More investigation required to find firewall
* Slows down most scanners (except nmap which actually runs faster than
if "reject" is used)
* Slightly less traffic overhead

IMHO I don't see either one being better than the other. Every
environment has different requirements.

HTH,
Chris



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

Current thread:

DROP or REJECT that is the question... Mohamed Abdel Kader (Apr 04)
- Re: DROP or REJECT that is the question... Paul Melson (Apr 04)
  - Re: DROP or REJECT that is the question... Tim (Apr 06)
    - Re: DROP or REJECT that is the question... Tim (Apr 08)
- Re: DROP or REJECT that is the question... Isaac Perez (Apr 06)
- Re: DROP or REJECT that is the question... Jamie Riden (Apr 06)
- <Possible follow-ups>
- Re: DROP or REJECT that is the question... Thor (Hammer of God) (Apr 04)
  - Re: DROP or REJECT that is the question... Chris Brenton (Apr 08)
- FW: DROP or REJECT that is the question... Bryan_McAninch (Apr 06)