On 6/3/07, Stephen Ronan <listsubs0506 at comcast dot net> wrote:
> > Reject is usually preferable to block on the LAN.
> Thanks for that advice. Under what kind of circumstances might block be
> better to use than reject on the LAN?
It's generally considered better to use reject than block on the LAN
because then things that aren't permitted are immediately rejected,
rather than the machine sitting there waiting for a timeout. That can
cause apps to hang and the waiting in general is undesirable
But, it does make it faster and easier for internal users to determine
your outbound firewall ruleset. It's still possible to do if you only
use block rules, just takes longer and is a bit more of a pain. If
you're super paranoid about internal users being able to determine
your outbound ruleset, you probably want to use block instead, with
the understanding that you're just making it harder, not impossible,
to determine your ruleset.