Firewall reject and not a drop is used for WAN

I have just installed Nethsecurity 8 on my Proxmox to test it.

I have a question about the firewall. In Zones and policies, a reject and not a drop was used for WAN. Is there a special reason for this?


1 Like

Is a good practice to reject, because an attacker knows that the traffic Is rejected.
With drop the attacker could retry until a service became available.

And welcome!

I just read about this in an email the other day. What do you think about it so far? I plan on trying it out.

Hi @sarz4fun

With reject, you already confirm “something” worth protecting is here!

With drop, it could be an IP not used, defective hardware on the way, many other reasons.
A reject is a confirmation…

There is also traffic fingerprinting (also called TCP/IP fingerprinting), finding out what OS sent that deny packet.
First step of a sucessful attack is knowing your target…

This is an age old discussion, in the end it’s a bit like denying spam - or reporting spam…

My 2 cents