[ previous ] [ next ] [ threads ]
 From:  "Norman H. Azadian" <norman at azadian dot ch>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Reject or Deny?
 Date:  Mon, 27 Jun 2005 13:53:05 +0200
Here's a quote from the de.comp.security.firewall FAQ:

> Administrators who bother about script kiddies sometimes believe that they can stop them with
DENY. This is wrong. It's possible to start several thousand scans at once and therefore to wait for
all timeouts at once. A scanner wont slow down because of this. On the other side you slow down all
legitimate users and services. Specifically the IDENT requests.
> The ident services gives the administrator of a neat system a help for identifying misbehaving
users. DENY has the consequence that this help isn't recorded at other servers. Do you want to hide
spammers and script kiddies please use DENY. 

Although it's hard to tell from the bad english, he's in favor of Reject.

I think m0n0wall defaults to Deny, so I assume that this advice will not 
meet with universal acceptance here.  Comments?

Norman H. Azadian    Taegerishalde 13    CH-3110 Muensingen    Switzerland
norman at azadian dot ch      tel: +41 31 721 7855      fax: +41 31 55 898 55