Manualshelf

User manual

ManualsBrandsvirtual access ManualsComputer equipmentGW1000
131132133134135136137138139140
20: Configuring firewall
_______________________________________________________________________________________________________
config rule
option src wan
option dest_ip 88.77.66.55
option target REJECT
Rules without IP addresses are automatically added to iptables and ip6tables,
unless overridden by the family option. Redirect rules (port forwards) are always
IPv4 since there is no IPv6 DNAT support at present.
20.8 Implications of DROP vs. REJECT
The decision whether to drop or to reject traffic should be done on a case-by-
case basis. Many people see dropping traffic as a security advantage over
rejecting it because it exposes less information to a hypothetical attacker. While
dropping slightly increases security, it can also complicate the debugging of
network issues or cause unwanted side-effects on client programs.
If traffic is rejected, the router will respond with an icmp error message
("destination port unreachable") causing the connection attempt to fail
immediately. This also means that for each connection attempt a certain amount
of response traffic is generated. This can actually harm if the firewall is attacked
with many simultaneous connection attempts, the resulting backfire of icmp
responses can clog up all available upload and make the connection unusable
(DoS).
When connection attempts are dropped the client is not aware of the blocking
and will continue to re-transmit its packets until the connection eventually times
out. Depending on the way the client software is implemented, this could result
in frozen or hanging programs that need to wait until a timeout occurs before
they're able to continue.
DROP
less information is exposed
less attack surface
client software may not cope well with it (hangs until connection times
out)
may complicate network debugging (where was traffic dropped and why)
REJECT
may expose information (like the IP at which traffic was actually blocked)
client software can recover faster from rejected connection attempts
network debugging easier (routing and firewall issues clearly
distinguishable)
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 134 of 255