Author Topic: deny policy: reject VS drop  (Read 5046 times)

thewolf

  • Newbie
  • *
  • Posts: 34
  • Karma: +0/-0
    • View Profile
deny policy: reject VS drop
« on: December 01, 2003, 05:30:46 pm »
Hi,
is it possible to configure a deny policy to explicitly reject packets instead of silently dropping them?

How do I do it from the CLI or the web interface with ScreenOS 4.0?

Thanks,
Marco.


cyh

  • Full Member
  • ***
  • Posts: 117
  • Karma: +0/-0
    • View Profile
deny policy: reject VS drop
« Reply #1 on: December 02, 2003, 02:00:40 am »
any difference between reject and drop?

thewolf

  • Newbie
  • *
  • Posts: 34
  • Karma: +0/-0
    • View Profile
deny policy: reject VS drop
« Reply #2 on: December 02, 2003, 03:12:17 am »
Quote from: cyh
any difference between reject and drop?

A drop policy will silently discard the packets, so it will take some time for the client (e.g. web browser) before it times out the request.

A reject policy will "tell" the client that the connection is not allowed and you will get a "connection refused" message immediately or something like that.

Sometimes it is better to use a reject policy in order to speed up things.

I know that you can set up deny policies to drop or reject packets with other firewalls (for sure with "iptables" on Linux), any way to do it with NetScreen ScreenOS?

Thanks,
Marco.

greg

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
    • http://www.silicomp.fr
No reject
« Reply #3 on: December 12, 2003, 04:12:21 am »
Hi,

I think it isn't possible to do a "reject".

The only action of Netscreen is "drop" or "permit".

Greg
Be Netscreen with you !

diebad

  • Jr. Member
  • **
  • Posts: 69
  • Karma: +0/-0
    • View Profile
    • http://www.netscreen.de
deny policy: reject VS drop
« Reply #4 on: December 15, 2003, 06:49:14 am »
with ScreenOS 5.x DeepInspection you will be able to create a own signature for detecting some packets. then you can send a tcp-reset and close the connection. but the DI only supports a few protocols like smtp, http a.s.o.

cheers,
dieter

Florent

  • Atomic Playboy
  • *******
  • Posts: 1089
  • Karma: +0/-0
    • View Profile
    • http://www.netsc.ch
deny policy: reject VS drop
« Reply #5 on: December 16, 2003, 09:58:22 am »
for non syn packet you can define to send RST packets on the zone settings
FlO
__ www.netsc.ch __

thewolf

  • Newbie
  • *
  • Posts: 34
  • Karma: +0/-0
    • View Profile
deny policy: reject VS drop
« Reply #6 on: December 16, 2003, 02:35:00 pm »
Quote from: Florent
for non syn packet you can define to send RST packets on the zone settings

Is that possible with ScreenOS 4.0 too?

Can you explain me how to get to the zone settings page via the web interface?

Thanks,
Marco.