What’s the difference (behaviour and risk) between a wan incoming packet matching :
1 - a port blocked with a “drop” rule
2 - the same port opened but with no service answering/configured
??
Thank you
Good practice
BAD practice. A configuration reset or a service being enabled may unadvertenly leave the device exposed.
What I see is:
1- Shut the front door and lock it.
2 - Leave the front door open \ unlocked because all of my other (internal) room doors are locked or empty.
Sent from my SM-G920I using Tapatalk
Squatters love empty houses…
I will jump here to get answer what is the best practise for the firewall last input rule:
1a - Pretend that there is nothing just black hole:
add chain=input action=drop
1b - Shut the front door and lock it:
add chain=input action=reject protocol=tcp reject-with=tcp-reset
add chain=input action=reject reject-with=icmp-port-unreachable
What do you prefer and why?
First one. Maybe tarpitting the tcp could be useful sometimes too.
For normal use, I vote for 1b.
If I don’t run any service on given port, it’s already closed, like a closed door, with ball on outside. No one can just come from street and open it anytime they want, only someone from inside can. I might not completely trust all inhabitants of the house, so I can add big lock (reject in input chain). If only I have the key, it’s already safe enough for me. But hey, I might be a little paranoid, tear down the house, move into underground bunker built under it, and pretend there’s nothing except the lawn (drop in input). I might feel safer there, but is it really that great? What about poor postman, unable to find house nor mailbox? It’s not for me, I don’t mind people knowing that I have a house. But I’m not saying it’s for everyone. Sometimes there might be a good reason for moving underground, even extra traps in the lawn might come handy (tarpitting tcp). 