Thursday, August 18, 2011

REJECT vs DROP

As we know firewall gives generally three option to deal with packet
ACCEPT - Let the traffic move
DROP - Remote packet and generate no error
REJECT - Remove the packet and return an ICMP "Communication
administratively prohibited" (ICMP type 3, code 13) error packet

If we DROP packet in a rule that means we remove packet from wire
without informing sender about this in the case of REJECT we inform
sender.
Most of the firewall configured for DROP unwanted packets , the
argument in this favor are following
* This help to stealth the firewall, the logic is since firewall
returning no data so attacker can't determine who have a firewall.
This logic does not seem legitimate the reason is , attacker can be
sure about firewall if it found no data in return.
For example TCP ACK scan in nmap. This scan is used to
test weather a port is filtered by firewall or not. ACK test for, RST
packet after sending ACK packet if no packet received that means port
is filtered.
* The other argument is, using DROP helps in generating less traffic.
This sounds good but fact is far from that because TCP tries hard to
be reliable, so if first probe quietly dropped the sources tries with
more packets before concluding amything.
So my conclusion is that REJECT may be better option than DROP in
many situations.