Is there a reason the default setting is reject accept reject as opposed to drop accept drop.
I'm not referring to the global settings, I'm referring to the wan to lan setting.
P.S. also, why is ping allowed by default? If my external ip is being probed I want it to look like nothing has that address.
Because you never should. ICMP is an integral part of many protocols like Path MTU discovery, some TCP congestion protocols and many over things.
It's the most clean solution. If you drop incoming traffic, the external peer will after a timeout try again. When you reject it, the external peer knows that, and won't try again.
Are you talking about lan to lan pings?
I can ping the router from inside; I'm talking about dropping a ping from the internet.
I'm sorry, I think something was lost in translation:
I'm not sure what should never be done.
No, he and you are both talking about ping from Internet.
Dropping packets.
It may cause some internet traffic management functionalities to stop working, by dropping packets.
Regarding your original question,
Especially with IPv6 there is more smartness in the routing path optimization in the background, e.g. path MTU discovery. It is better to respond according to the intended behaviour of the TCP/IP protocols.
The discussion about drop/reject surfaces every now and then, so you can find also earlier discussion on that.
I've been lurking to get a better understanding of routing and came upon a reply by psherman that said drop was the default (don't know what year that was). I had, already, changed it to drop because ShieldsUp suggested it.
So I just wondered why it used to be 'drop' by default and changed to reject.
thanks!
Tldr, no. Blindly dropping icmp makes things worse.
You can of course if you like to drop other stuff but more then often it's security Theater. If you fear someone will dos you by generation icmp packets based on reject, then simply rate limit.
Edit/ps: reject makes lives easier. You will not blindly debug any connectivity issues. If the other end sends icmp and or reject you know "ah cool I can reach". There are also various icmp types/codes. To state a reason why the packet hits rejected.
Reject has been the default for the wan input rule for a very long time. It is possible I was mistaken in a past post, but I do ageee with the others here who say that reject is the preferred rule.
Do you have a link to that old post of mine that you saw?
I saw it today and I just scrolled through about 2 weeks of posts looking for one that is grey but I cannot find it.
I do know I noticed your reply was not recent.
No worries, I wanted that answered before I saw your post.
If I come across it again I'll get it to you.
I fear it is not as simple as a GUI click ;- )
Interestingly for ICMPv6 it seems quite easy.....
Also available for IPv4
Interestingly for IPv6 is a default to limit rate, IPv4 not.....
Don't ask me... I don't use Luci 
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
