Re: [m0n0wall] block vs. reject in LAN rules

From:	"Chris Buechler" <cbuechler at gmail dot com>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] block vs. reject in LAN rules
Date:	Sun, 3 Jun 2007 22:40:48 -0400

On 6/3/07, Stephen Ronan <listsubs0506 at comcast dot net> wrote:
>
> > Reject is usually preferable to block on the LAN.
>
> Thanks for that advice. Under what kind of circumstances might block be
> better to use than reject on the LAN?
>

It's generally considered better to use reject than block on the LAN
because then things that aren't permitted are immediately rejected,
rather than the machine sitting there waiting for a timeout. That can
cause apps to hang and the waiting in general is undesirable
typically.

But, it does make it faster and easier for internal users to determine
your outbound firewall ruleset. It's still possible to do if you only
use block rules, just takes longer and is a bit more of a pain. If
you're super paranoid about internal users being able to determine
your outbound ruleset, you probably want to use block instead, with
the understanding that you're just making it harder, not impossible,
to determine your ruleset.

-Chris