[notfoss]

Very nice article, even for advanced users (not attackers ;)).

I have one question though. What are your thoughts on DROP vs REJECT firewall rules, as some people claim that DROP offers no additional benefits over REJECT while causing inconvenience to legit users. ref: http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-re...

[moviuro]

I suspect reject uses some bandwidth and CPU time.

[notfoss]

Shouldn't it be the opposite? If clients receive a REJECT message, they will simply stop trying to connect, but if they don't receive any response at all, i.e., DROP, they will keep on trying to connect before any timeout threshold kicks in, thus putting more load on the server.