... there are a number of issues considered all too rarely by firewall administrators. Most IP level firewalls have a number of options for handling a packet. The packet can typically be accepted, dropped, or sent through another set of rules for inspection (allowing you to break up your ruleset into more manageable pieces). . .
... there are a number of issues considered all too rarely by firewall administrators. Most IP level firewalls have a number of options for handling a packet. The packet can typically be accepted, dropped, or sent through another set of rules for inspection (allowing you to break up your ruleset into more manageable pieces) When blocking a packet, you are faced with an important choice; whether to drop it silently, or generate an ICMP error message. Each choice has several advantages, and also creates a variety of potential problems.

If you generate an error message (i.e. ICMP unreachable), then the remote end will usually immediately stop trying to connect. This makes detecting some types of port scans more difficult since the remote end will likely send off only one packet, and give up after it receives the first error message. This also makes "shotgun" port scanning (i.e. where the attacker simply tries several thousand ports in rapid order) much easier, since the software will receive a definitive answer as to whether the port is blocked or not. Sending an error message does have several advantages, though, the primary one being to make life more difficult for someone who wants to spoof your IP addresses. Since your firewall is likely to generate ICMP error messages, the victim being attacked (by what looks like packets from your systems) will know something is up. To prevent you from sending error messages the attacker must take you offline, or otherwise act overtly to prevent data getting from the victim's network to yours and back.

The link for this article located at SecurityPortal is no longer available.