[c-nsp] OT: Check Point v Cisco PIX (ASA 5500 Series)
Florian Weimer
fweimer at bfk.de
Mon Apr 7 07:00:07 EDT 2008
* A. L. M. Buxey:
>> for a firewall, not sending an RST for a denied connection, isn´t it
>> the "Right Thing" to do?
>
> ah, the perennial DROP or REJECT question.
Not really. Faking the RST with the address of the target doesn't
give you any hint what's rejected the connection attempt. I know that
some people do not want to leak that data, but it's absence makes
debugging quite hard.
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the cisco-nsp
mailing list