Date: Fri, 17 Oct 2014 23:50:31 -0500 From: Chris Buechler <cmb@pfsense.org> To: Laszlo Danielisz <laszlo_danielisz@yahoo.com> Cc: "pf@freebsd.org" <pf@freebsd.org> Subject: Re: drop vs return Message-ID: <CAOmxWMUGToF0Ad59SrJypkkJoL7i-x1wm2BzK7V7q-cTe4indA@mail.gmail.com> In-Reply-To: <1413316498.26781.YahooMailNeo@web160701.mail.bf1.yahoo.com> References: <1413316498.26781.YahooMailNeo@web160701.mail.bf1.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Oct 14, 2014 at 2:54 PM, Laszlo Danielisz via freebsd-pf <freebsd-pf@freebsd.org> wrote: > Hi, > > Which is your set block-policy? Drop or Return? > And why? > Depends on the circumstance. Generally speaking, for traffic sourced from trusted networks, return so you don't hang applications or services by blocking their traffic. It's friendlier. For any traffic sourced from the Internet, or networks with devices that aren't "trusted" (for whatever your definition of trusted), block so untrusted machines can't make your firewall generate reply packets (which will exacerbate a DoS/DDoS, among other potential issues).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOmxWMUGToF0Ad59SrJypkkJoL7i-x1wm2BzK7V7q-cTe4indA>