ufw Linux 防火墙拒绝和拒绝之间的区别
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4907173/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
ufw Linux firewall difference between reject and deny
提问by CuriousFirewallNewbie
Using the uncomplicated firewall ufw, I can set ports/services to reject and deny.
使用简单的防火墙ufw,我可以将端口/服务设置为拒绝和拒绝。
For example:
例如:
ufw deny www
ufw reject www
Can someone explain to me the difference between the two approaches?
有人可以向我解释这两种方法之间的区别吗?
回答by thkala
"deny" uses the DROP iptablestarget, which silently discards incoming packets.
“拒绝”使用 DROP iptables目标,它会默默地丢弃传入的数据包。
"reject" uses the REJECT iptables target, which sends back an error packet to the sender of the rejected packet.
“reject”使用 REJECT iptables 目标,它将错误数据包发送回被拒绝数据包的发送者。
From the ufw manual page:
从ufw 手册页:
Sometimes it is desirable to let the sender know when traffic is being denied, rather than simply ignoring it. In these cases, use reject instead of deny.
有时希望让发送方知道何时拒绝了流量,而不是简单地忽略它。在这些情况下,请使用拒绝而不是拒绝。
From the point of view of the user/program that is trying to connect to your server:
从尝试连接到您的服务器的用户/程序的角度来看:
"deny" will keep the program waiting until the connection attempt times out, some short time later.
"reject" will produce an immediate and very informative "Connection refused" message.
“拒绝”将使程序一直等待,直到连接尝试超时,一段时间后。
“拒绝”将立即产生一条信息量很大的“连接被拒绝”消息。
EDIT:
编辑:
From a security point of view "deny" is slightlypreferrable. It will force every connection from a potential attacker to time-out, thus slowing down the probing of your server.
从安全的角度来看,“拒绝”稍微更可取。它会强制来自潜在攻击者的每个连接超时,从而减慢对服务器的探测。
Experienced and/or determined attackers won't be really affected - they are usually patient and there are several ways to deal with the slow down, anyway. It might discourage the occasional wannabe that did not even bother to read the nmapmanual page, though.
有经验和/或有决心的攻击者不会真正受到影响——他们通常很有耐心,无论如何,有几种方法可以解决问题。不过,它可能会阻止那些甚至懒得阅读nmap手册页的偶尔想要的人。
"deny" will also save a bit of bandwidth on the uplink by not sending the error packet. This might be important on asymmetric network connections where a DoS attack could simply saturate the - usually narrower - uplink with error packets.
“拒绝”还会通过不发送错误数据包来节省一些上行链路带宽。这对于非对称网络连接可能很重要,在这种情况下,DoS 攻击可以简单地用错误数据包使上行链路(通常较窄)饱和。
On the other hand, it is a bit more polite to let people know that you are rejecting their connections. A refused connection lets people know that it is most probably a permanent policy decision, rather than e.g. a short-term networking issue.
另一方面,让人们知道你拒绝他们的联系更有礼貌。被拒绝的连接让人们知道这很可能是一个永久性的政策决定,而不是一个短期的网络问题。
