Re: NAK dropped SYN-packets to sender?

["Perry E. Metzger" <perry () piermont com>]

"Frank Heinzius" <frimp () mms de> writes:
> our Firewall normally silently drops unauthorized packets from the 
> Internet. It it also possible to send back an ICMP unrechable to the 
> originator.
>
> Both methods have their advantage: silent dropping gives you an 
> additional kinda "security by obscurity" level. The disadvantage is that 
> TCP stacks from the originator will do a couple of retransmits due to the 
> timeouts.
> If I sent ICMP unreachable, the attacker knows that there is a firewall 
> mechanism which make port scans very fast (if based on SYN-ACK). On the 
> other hand, I don´t have to deal with retransmits.
>
> What is the common and/or most recommended way?

I'm not a big believer in the "security from obscurity" features that
dropping ICMP unreachables. However, if you are going to do that, at
least send "unreachables" for a few common undesirable services, like
the horrible "ident" protocol, which would otherwise result in delays
for things like mail delivery out of your firewall. (Unfortunately,
lots of SMTP MTAs now do an ident query back to a host sending mail,
and dropping those idents silently instead of with the ICMP will
result in major mail delays for you, among other things...)

Perry