ufw Linux firewall difference between reject and deny -

-

using uncomplicated firewall ufw, can set ports/services reject , deny.

for example:

ufw deny www  ufw reject www

can explain me difference between 2 approaches?

"deny" uses drop iptables target, silently discards incoming packets.

"reject" uses reject iptables target, sends error packet sender of rejected packet.

from ufw manual page:

sometimes desirable let sender know when traffic being denied, rather ignoring it. in these cases, use reject instead of deny.

from point of view of user/program trying connect server:

  • "deny" keep program waiting until connection attempt times out, short time later.

  • "reject" produce immediate , informative "connection refused" message.

edit:

from security point of view "deny" slightly preferrable. force every connection potential attacker time-out, slowing down probing of server.

experienced and/or determined attackers won't affected - patient , there several ways deal slow down, anyway. might discourage occasional wannabe did not bother read nmap manual page, though.

"deny" save bit of bandwidth on uplink not sending error packet. might important on asymmetric network connections dos attack saturate - narrower - uplink error packets.

on other hand, bit more polite let people know rejecting connections. refused connection lets people know permanent policy decision, rather e.g. short-term networking issue.


Comments

Post a Comment

Popular posts from this blog

javascript - Enclosure Memory Copies -

-
function myclass() { //lots , lots of vars , code here. this.bar = function() { //do numerous enclosed myclass vars } this.foo = function() { alert('hello'); //don't enclosed variables. } } each instance of myclass gets own copy of bar , foo, why prototyped methods use less memory. however, know more memory use of inner methods. it seems obvious me (1) below must true. agree? not distinct myclass instances have own distinct copies of bar, must have own distinct copies of myclass enclosure. (or else how bar method keep myclass variables straight on per instance basis?) now (2) question i'm after. since inner foo method doesn't use in myclass enclosure natural qustion is: javascript smart enough not keep myclass enclosure in memory use of foo? this depend entirely on implementation not language. naive implementations keep far more around others. answer true e.g. v8 (chrome's js engine) may not true spider...
Read more

php - Replacing tags in braces, even nested tags, with regex -

-
example preg_replace('/\{[a-za-z.,\(\)0-9]+\}/', 'replaced', 'lorem ipsum dolor sit {tag1({tag2()})}, consectetur adipiscing elit.'); the result: lorem ipsum dolor sit {tag1(replaced)}, consectetur adipiscing elit. question as can see "tag2" has been replaced, want replace "tag1" know how can this? (in cases might this: {tag1({tag2({tag3()})})}) , on.) btw using preg_replace_callback, easier show preg_replace here site can test code: http://www.spaweditor.com/scripts/regex/index.php you need add curly braces character set. here's pattern used: /\{[a-za-z.,\(\)\{\}0-9]+\}/ and here result: "lorem ipsum dolor sit replaced, consectetur adipiscing elit."
Read more