This article is a mirror article of machine translation, please click here to jump to the original article.

Architect_Programmer_Code Agriculture Network»Architect Other Technologies Windows/Linux Difference between DROP and REJECT
View: 11350|Reply: 0

[linux] Difference between DROP and REJECT

[Copy link]
Posted on 2/2/2016 10:33:58 AM | | |

There are two types of policy actions in the firewall: DROP and REJECT, and the differences are as follows:
1. The DROP action is simply to directly discard the data without feedback any response. If the client waits for the timeout, the client can easily find itself blocked by the firewall.
2. The REJECT action will return a reject (terminated) packet (TCP FIN or UDP-ICMP-PORT-UNREACHABLE) more politely, and explicitly reject the other party's connection action. The connection is immediately disconnected, and the client thinks the accessed host does not exist. REJECT has some return parameters in IPTABLES, such as ICMP port-unreachable, ICMP echo-reply or tcp-reset (this packet will ask the other party to turn off the connection).

There is no conclusive whether it is appropriate to use DROP or REJECT, as both are indeed applicable. REJECT is a more compliant type
and easier to diagnose and debug network/firewall issues in a controlled network environment; And DROP provides
Higher firewall security and slight efficiency gains, but possibly due to the non-standardized (not very compliant with TCP connection specification) handling of DROP
It can cause some unexpected or hard-to-diagnose problems with your network. Because although DROP unilaterally interrupts the connection, it does not return to the office
Therefore, the connection client will passively wait until the TCP session times out to determine whether the connection is successful, so as to advance the internal network of the enterprise
Some client programs or applications require IDENT protocol support (TCP Port 113, RFC 1413) if you prevent it
If the firewall applies the DROP rule without notice, all similar connections will fail, and it will be difficult to determine if it is due to the timeout
The problem is due to the firewall or the network device/line failure.

A little personal experience, when deploying a firewall for an internal enterprise (or a partially trusted network), it is better to use a more gentlemanly REJECT
method, the same is true for networks that need to change or debug rules frequently; For firewalls for dangerous Internet/extranets,
It is necessary to use a more brutal but safe DROP method, which can slow down the progress (and difficulty, at least, DROP) of the hacking attack to some extent
can make them TCP-Connect port scanning longer).




Previous:DOS attack case based on UDP port 80
Next:C# Process.Start() method is explained in detail

Related Posts
Disclaimer:
All software, programming materials or articles published by Code Farmer Network are only for learning and research purposes; The above content shall not be used for commercial or illegal purposes, otherwise, users shall bear all consequences. The information on this site comes from the Internet, and copyright disputes have nothing to do with this site. You must completely delete the above content from your computer within 24 hours of downloading. If you like the program, please support genuine software, purchase registration, and get better genuine services. If there is any infringement, please contact us by email.
Mail To:help@itsvse.com