56

Using the uncomplicated firewall ufw, I can set ports/services to reject and deny.

For example:

ufw deny www

ufw reject www

Can someone explain to me the difference between the two approaches?

Nullpointer
  • 1,895
  • 20
  • 26
CuriousFirewallNewbie
  • 579
  • 1
  • 4
  • 3

1 Answers1

82

"deny" uses the DROP iptables target, which silently discards incoming packets.

"reject" uses the REJECT iptables target, which sends back an error packet to the sender of the rejected packet.

From the ufw manual page:

Sometimes it is desirable to let the sender know when traffic is being denied, rather than simply ignoring it. In these cases, use reject instead of deny.

From the point of view of the user/program that is trying to connect to your server:

  • "deny" will keep the program waiting until the connection attempt times out, some short time later.

  • "reject" will produce an immediate and very informative "Connection refused" message.

EDIT:

From a security point of view "deny" is slightly preferrable. It will force every connection from a potential attacker to time-out, thus slowing down the probing of your server.

Experienced and/or determined attackers won't be really affected - they are usually patient and there are several ways to deal with the slow down, anyway. It might discourage the occasional wannabe that did not even bother to read the nmap manual page, though.

"deny" will also save a bit of bandwidth on the uplink by not sending the error packet. This might be important on asymmetric network connections where a DoS attack could simply saturate the - usually narrower - uplink with error packets.

On the other hand, it is a bit more polite to let people know that you are rejecting their connections. A refused connection lets people know that it is most probably a permanent policy decision, rather than e.g. a short-term networking issue.

thkala
  • 84,049
  • 23
  • 157
  • 201
  • 33
    Slow-down isn't really the main security benefit of DROP. Rather it's the fact that the attacker can't tell that there's any service running at all. This means that attackers who are scanning large ranges of IP addresses for open ports will likely move on from yours if you use DROP, whereas if you REJECT you become a target for further vulnerability investigation on the applicable port(s), because you've given away that something is listening. – JBentley Dec 20 '13 at 02:05
  • will the firewall block incoming connections from localhost too?? because I want to deny all incoming connections to my laptop to 8080 port, but I need use this port from localhost while development with RoR. – CamiloVA Mar 26 '20 at 17:39
  • 1
    @JBentley That only works if all of your ports drop. If some of them are open and others drop an attacker can tell that you are probably using a firewall. In this case you gain absolutely no visibility advantage. See also here: https://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject – MattSchmatt Jun 26 '20 at 00:06