Deny vs block

  • guys i want to ask.. whats the difference deny and block in firewall rules???
    newbie question..

  • Block simply discards the packet and returns no response to the source. It will cause a connection timeout on the client.

    Reject sends a TCP RST to the source, which will generate a 'connection refused' message and immediately close the connection on the client.

    It's generally better to use block rules on the WAN side; it will make scans take longer and removes a couple of DoS opportunities. Reject does make sense in some cases though, especially on the LAN side, where you want a quick failure, for example to block outgoing SMTP that doesn't go through your relay.

Log in to reply