Here's a quote from the de.comp.security.firewall FAQ:
> Administrators who bother about script kiddies sometimes believe that they can stop them with
DENY. This is wrong. It's possible to start several thousand scans at once and therefore to wait for
all timeouts at once. A scanner wont slow down because of this. On the other side you slow down all
legitimate users and services. Specifically the IDENT requests.
> The ident services gives the administrator of a neat system a help for identifying misbehaving
users. DENY has the consequence that this help isn't recorded at other servers. Do you want to hide
spammers and script kiddies please use DENY.
Although it's hard to tell from the bad english, he's in favor of Reject.
I think m0n0wall defaults to Deny, so I assume that this advice will not
meet with universal acceptance here. Comments?
Norman H. Azadian Taegerishalde 13 CH-3110 Muensingen Switzerland
norman at azadian dot ch tel: +41 31 721 7855 fax: +41 31 55 898 55