Re: [cobalt-security] IPChains/IPTables - DROP or DENY..?

[Ted Behling <TBehling@xxxxxxxxxxxxx>]

At 11:25 PM 8/10/01 -0700, Scott F wrote:
>No, not exactly. I know they both do basically the
>same -The difference between the two are that DROP
>will drop the packet silently and DENY will return
>information. Drop also eat less memory on the system.
>
>--BUT-- To my understanding only IPTables can accept
>the DROP (or DENY) command, IPChains only accepts
>DENY. A friend is insisting that IPChains can accept
>the DROP command as well and that I should change all
>the DENY statements in my firewall to DROP instead..
>But I'm almost sure DROP can only be used with
>IPTables. That's what I'm trying to clarify.

The IPChains man page says DENY is used for passive refusal, whereas REJECT
is used for active refusal (i.e., sends an ICMP message back to the
source).  No mention is made of DROP.  DENY doesn't return information,
which you claimed it did in your first paragraph.  To confuse things, "DENY
and REJECT are the same for ICMP packets," although it fails to say which
role they take.

FWIW, I do think DROP is a better word then DENY, since DENY and REJECT
both seem to imply active refusal.

--------------------------------------------------------------------------
Ted Behling, Web Application Developer - Monarch Information Systems, Inc.

43 Folly Field Road, Unit 4, Hilton Head Island, SC 29928-5434
E-mail: mailto:TBehling@xxxxxxxxxxxxx
Phone/Fax: 1-800-842-7894    Local or Outside the USA: 1-843-842-7894
Cell Phone (urgent issues): 843-816-7895
Cell Phone E-mail: mailto:TedPhone@xxxxxxxxxxxxx (116 letter limit)
Web site: http://www.MonarchIS.net
--------------------------------------------------------------------------