In NodeWorx | Server | Firewall for TCP and UDP Drop Policies, there are 3-4 options.
Reset, Drop, Reject plus UDP has an additional Prohibit.
The setting now is at Drop, but which one is the best, and can anyone give me a description and benefits of one over another. Such description and help text is a good idea to include in your “?” help pop window.
Also when on “Drop”, I receive approximately a thousand lines of “Packet Drop” notifications in my daily log email, which is already bloated by the obsolete “Succesfull email” logins, which I BTW also would like to know how to get rid off.
The easier question first: to reduce your DROP logs, you’ll need to edit /etc/apf/conf.apf and set DROP_LOG to 0.
I’ll have to do a little more digging to determine the exact differences between the drop options, but here is the gist: DROP drops all packets, without returning any information to the destination. All the others are some form of REJECT, with different reject responses.
The TCP default is RESET, which is the same as REJECT, but sends back a TCP reset packet
The UDP default is RESET also, again REJECT, but this sends an icmp-port-unreachable packet.
PROHIBIT sends back an icmp-host-prohibited packet.
I believe the default for REJECT, if no ‘–reject-with’ paramater is supplied is “icmp-port-unreachable”, but I’ll have to dig a little more to confirm.