I’m setting ipfw, and the following was suggested to me: If I make the rule only to drop SYN packets for TCP, no connection could be established and the firewall won’t even have to look at other packets.
It seems counter intuitive for me. I think that firewall will perform better if I block all communication on the specified port (less packet inspection involved), and since no connection can be established either way, the number of incoming packets will be the same.
Is there really difference?
Edit: concrete problem, blocking SSH from somehost:
ipfw add deny tcp from somehost to any port 22 via em0 tcpflags syn
ipfw add deny tcp from somehost to any port 22 via em0
Globally blocking all traffic to the specified port seems to be more effective than blocking certain kinds of traffic, as you said less packet inspection. It really depends on your intent. If you want the service to be open and available but don’t want someone SYN scanning that port, there are other methods of detecting this kind of activity. If you don’t want the service to be available all together, close the port.
I think its funny though, “If I make the rule only to drop SYN packets for TCP, no connection could be established and the firewall won’t even have to look at other packets.”
Well…if you dont want the firewall to look at any packets at all, deny all! If you want to have a log (for some reason) of SYN packets to the specified port, than you could do this but I honestly done see the benefit whatsoever.
Whoever suggested blocking SYN packets and it increasing performance needs to study up on his Net+
- How do I fix the built-in Windows Firewall which is blocking packets despite a configured exception?
- TCP firewall allows connection to external server but blocks response packets?
- How to capture ack or syn packets by Tcpdump?
- iptables NEW connections vs. –syn
- Do NATs verify the source port of a SYN received after a SYN has been sent?
Leave a comment
- What is the easiest way to upgrade my existing Perl 5.14 to Perl 5.16 on FreeBSD 9 using the ports system?
- Know if mysql has done its job
- Redirect https .com to https .co.uk without a valid SSL cert on .com without DNS change
- Why is it a bad idea to use customer email as from address
- 100% packets dropped on first RX queue on 3/5 raid6 iSCSI NAS devices using intel igb (resolved)