Firewall Wizards mailing list archives
Re: Performance question Drop or Reject
From: K K <kkadow () gmail com>
Date: Fri, 15 Jan 2010 10:56:11 -0600
On Wed, Jan 13, 2010 at 9:10 PM, Jason Lewis <jlewis () packetnexus com> wrote:
Is there any performance difference between a Drop/Deny or Reject rules? IDK if it's relevant, but I'm using iptables. If there isn't performance hit between the two rules, is there anything else that might steer me towards picking one over the other?
Reject involves generating a new reply packet and transmitting it, this does have a performance impact. Drop is "faster", a drawback to drop is that the originating host is likely to re-send the packet, so you'll just have to do the work again. If your site is often the target of spoofed packets (e.g. DDoS), then you would want to choose "drop". IME, the #1 reason people chose "Drop" is that they like to see "stealth" in their ShieldsUP! results :) _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Performance question Drop or Reject Jason Lewis (Jan 14)
- Re: Performance question Drop or Reject K K (Jan 16)
- Re: Performance question Drop or Reject Paul Melson (Jan 16)
- Re: Performance question Drop or Reject Jason Lewis (Jan 16)
- Re: Performance question Drop or Reject Paul D. Robertson (Jan 16)