Re: DROP or REJECT that is the question...

From: Chris Brenton (cbrenton@chrisbrenton.org)
Date: Sat Apr 07 2007 - 11:02:43 EDT

• Next message: WALI: "How to find the users with local admin rights?"
• Previous message: Tim: "Re: DROP or REJECT that is the question..."
• In reply to: Thor (Hammer of God): "Re: DROP or REJECT that is the question..."
• Next in thread: Paul Melson: "Re: DROP or REJECT that is the question..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Wed, 2007-04-04 at 15:36 -0700, Thor (Hammer of God) wrote:
>
> Reject typically sends a response saying it was rejected.

For most commercial firewalls, "reject" translates into:
TCP stimulus = return a TCP RST/ACK
everything else = ICMP type 3, code 10 (Host Admin prohibited)

For the open source firewalls it varies. For example Netfilter defaults
to port unreachables but it is also highly customizable.

> If dropped, the user would not know if it was a firewall rule or if the
> ip/port was not available -

Actually, that's not completely true:
Port open = SYN/ACK returned
Port closed = RST/ACK returned
Host is down = Type 3, code 1 (Dst host unreachable)
Net is down = Type 3, code 0 (Dst net unreachable)
Too many hops away = Type 11, code 0 (TimeX in transit)
Firewall drop rule = no reply returned

So the only time you would receive nothing back to a TCP stimulus is
when a firewall is running with a drop rule. This very clearly informs
the person doing the scan there is a firewall to contend with. Now its a
matter of running tcptraceroute or firewalk (assuming there are
accessible ports behind the device) to figure out it's IP address. This
is why nmap records a lack of response as "filtered".

Of course you mileage will vary with UDP.

> From: "Mohamed Abdel Kader":
> >
> > I wanted to gather your opinions on whether firewall rules should be
> > Dropped Or Rejected. To me I believe that both give away the firewall
> > rules.

All depends on what you are trying to accomplish.

Reject:
* Only RFC acceptable method of filtering traffic
* Assists in troubleshoot
* Optimizes normal connectivity
* Makes you less likely to have your address space spoofed in SYN floods

Drop:
* More investigation required to find firewall
* Slows down most scanners (except nmap which actually runs faster than
if "reject" is used)
* Slightly less traffic overhead

IMHO I don't see either one being better than the other. Every
environment has different requirements.

HTH,
Chris

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: WALI: "How to find the users with local admin rights?"
• Previous message: Tim: "Re: DROP or REJECT that is the question..."
• In reply to: Thor (Hammer of God): "Re: DROP or REJECT that is the question..."
• Next in thread: Paul Melson: "Re: DROP or REJECT that is the question..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:41 EDT