[ale] iptables: DROP vs. REJECT --reject-with tcp-reset

[Amarendra Godbole (Intl Vendor)]

> > The choice for DROP or REJECT with reference to security by 
> obscurity is
> > not a good idea. And there is no harm letting them know that yes, we
> > have adequate mechanisms to fight you... :)
> 
> <rant>
> 
> You know, this is a very mistaken assumption that I 
> frequently hear from
> people.  They start with the notion that "Security by 
> obscurity is bad."  
> Okay, true enough.  However, it doesn't in any way follow 
> from that what

Oh, oh, I guess I should have phrased it in a better way. I did not mean
that security through obscurity is bad, what I wanted to say that making
a decision for DROP or REJECT just because it provides you some security
by obscurity is not the proper way. Yes, as you have said security
through obscurity combined with other defense in depth mechanisms is a
very effective firewall indeed. I agree totally. 

Besides, who talked about IIS ? I thought this was a Linux only mailing
list (I haven't read the list guidelines), and Apache would have been a
much better choice. ;-) ;-)

Cheers,
--amar

--
Amarendra A. Godbole / Microsoft ``Services For UNIX'' / These opinions
are _MINE_.
If you miss love, you miss life.


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.