Content #
The Netfilter firewall mechanism in iptables and nftables gives you the option of
either rejecting or dropping packets. What’s the difference?
When a packet is rejected, the packet is thrown away and an ICMP error
message is returned to the sender. When a packet is dropped, the
packet is simply thrown away without any notification to the sender.
Silently dropping the packet is almost always the better choice, for three reasons.
- sending an error response doubles the network traffic.
The majority of dropped packets are dropped because they are malevolent, not because they represent an innocent attempt to access a service you don’t happen to offer.
-
a packet that you respond to can be used in a denial-of-service (DoS) attack.
-
any response, even an error message, gives the would-be attacker potentially useful information.
From #
Linux Security: Enhancing Security with nftables and Beyond