[j-nsp] Meaning of "except" in firewall filters

[Dave Diller]

>
> Why not just do the boolean inverse:

I use this as well, an accept term followed by a reject-all term, as  
it is easier/cleaner for someone not intimately familiar with how the  
clauses match to read this way, so I worry less abut people  
misinterpreting what I've applied on a casual run through.  Myself  
included ;-)  Much easier to debug, too, case in point.

>
>        from {
>            destination-port ssh;

I use

     from {
         protocol tcp;
         port ssh;

Is there any particular advantage to either method?  I'm matching  
source OR destination port, and I really only need destination, so  
yours IS a bit more fine-grained...

>        then {
>            log;
>            reject tcp-reset;

I've been using discard here.  Sure, it ties up MY resources as well  
as theirs, but I've also got "ssh rate-limit 10" so am not overly  
concerned (and I'm fine tying them up as long as possible).  Perhaps  
if it were a DDOS SSH attack I might start to notice...

Curious about the effects of the various options, I just tried a few  
of them.

'Discard' gives a 90 second timeout and a "Connection timed out" error  
when you open an ssh connection.
'Reject' also gives a 90 second timeout but a "No route to host" error.
'Reject tcp-reset' gives an instant timeout and a "Connection  
refused", which makes sense given the RST.

So I suppose it's just a philosophical difference - either way will  
keep them from opening a port, but do you want to keep them busy or  
just send them packing...

-dd