The difference between Linux Firewall reject and drop __linux

The policy action within the Linux firewall has reject and drop two, the difference is as follows:

1. The Reject action will return a reject (termination) packet (TCP fin or udp-icmp-port-unreachable), explicitly rejecting the other's connection action.

The connection is disconnected immediately, and the client considers that the host being accessed does not exist.

Reject there are some return parameters in the Iptables, as follows: ICMP port-unreachable, ICMP echo-reply, or tcp-reset (this packet would require the other person to turn off online), and after this processing action, will no longer compare to other rules, directly interrupt the filter program.

2, the drop action is simply to discard the data directly, does not feedback any response. The client waits for the timeout, and the client finds itself blocked by the firewall.

As for the use of drop or reject more appropriate has been inconclusive, because it is true that both have a suitable occasion:

1, reject is a more consistent with the standard of processing, and in a manageable network environment, more easily diagnose and debug network/firewall problems;

2, DROP provides a higher firewall security and a slight increase in efficiency, but because drop is not very standard (not very good with the TCP connection specification), it may
cause some unpredictable or difficult problems with your network. Because drop, although it unilaterally interrupts the connection, does not return any rejection information, the connection client waits passively for the TCP session timeout to determine whether the connection was successful, so there are problems in the early enterprise internal network, such as some client programs or applications that require Ident protocol support ( TCP Port 113, RFC 1413, if the
Firewall has not been notified that the drop rule is applied, all of the same connections will fail, and due to timeout, it will be difficult to tell whether the problem is caused by a firewalls or network device/line failure.

Note: When deploying a firewall, it is best to use a more gentlemanly reject
method for networks that are internal to the enterprise (or partially trusted), as is the case for a network that requires frequent changes or debugging rules, and for dangerous internet/extranet firewalls ,
It is necessary to use a more brutal but secure DROP method, to some extent delaying the progress (and difficulty of the hacker attack, at least, drop
can allow them to tcp-connect the port scan longer).