First page Back Continue Last page Summary Graphics

Rejecting Versus Denying a Packet

Reject: Discard packet and return an ICMP error message to the sender.
Deny: Discard packet.

Notes:

The IPFW firewall mechanism gives you the option of either rejecting or denying packets. What's the difference? When a packet is rejected, the packet is thrown away and an ICMP error message is returned to the sender. When a packet is denied, the packet is simply thrown away without any notification to the sender.

Denial is almost always the better choice. There are three reasons for this.
First, sending an error response doubles the network traffic. The majority of dropped packets are dropped because they are malevolent, not because they represent an innocent attempt to access a service you don't happen to offer.
Second, any packet you respond to can be used in a denial-of-service attack.
Third, any response, even an error message, gives the would-be hacker potentially useful information.

Rejecting Versus Denying a Packet

Reject: Discard packet and return an ICMP error message to the sender.

Deny: Discard packet.

Notes: