Will dropping only SYN packets improve or decrease firewall performance?

I’m setting ipfw, and the following was suggested to me: If I make the rule only to drop SYN packets for TCP, no connection could be established and the firewall won’t even have to look at other packets.

It seems counter intuitive for me. I think that firewall will perform better if I block all communication on the specified port (less packet inspection involved), and since no connection can be established either way, the number of incoming packets will be the same.

Is there really difference?

Edit: concrete problem, blocking SSH from somehost:

ipfw add deny tcp from somehost to any port 22 via em0 tcpflags syn

vs.

ipfw add deny tcp from somehost to any port 22 via em0

Asked by Barnaba

Globally blocking all traffic to the specified port seems to be more effective than blocking certain kinds of traffic, as you said less packet inspection. It really depends on your intent. If you want the service to be open and available but don’t want someone SYN scanning that port, there are other methods of detecting this kind of activity. If you don’t want the service to be available all together, close the port.

I think its funny though, “If I make the rule only to drop SYN packets for TCP, no connection could be established and the firewall won’t even have to look at other packets.”

Well…if you dont want the firewall to look at any packets at all, deny all! If you want to have a log (for some reason) of SYN packets to the specified port, than you could do this but I honestly done see the benefit whatsoever.

Whoever suggested blocking SYN packets and it increasing performance needs to study up on his Net+

Answered by Anonymous

Check more discussion of this question.

Will dropping only SYN packets improve or decrease firewall performance?

Related posts:

Leave a comment

Recent Posts

Tags