Difference between Deny and Reject

Asked by Panagiotis Ligopsychakis on 2010-02-17

What is the difference between Deny and Reject rule?

Question information

Language:
English Edit question
Status:
Solved
For:
Gufw Edit question
Assignee:
No assignee Edit question
Solved by:
Panagiotis Ligopsychakis
Solved:
2010-02-18
Last query:
2010-02-18
Last reply:
2010-02-18
costales (costales) said : #1

Hi! You have information here ;)
https://help.ubuntu.com/community/Gufw#Enabling
Best regards!

Checking the manual from the ubuntu terminal about the ufw configuration i found that the difference between the Deny and Reject rules is as follows:
-------------------------------------------------------------------------------------------------------------------------------------------------------------
  Sometimes it is desirable to let the sender know when traffic is being
       denied, rather than simply ignoring it. In these cases, use reject
       instead of deny. For example:

         ufw reject auth
--------------------------------------------------------------------------------------------------------------------------------------------------------------
As I understand this means that:
Reject: the system simply just ignores all incoming packets
Deny: the system ignores all incoming packets but informs the sender that it has been rejected.

This is something completely different from what it is mentioned here:
https://help.ubuntu.com/community/Gufw#Enabling

I think that letting the sender to know that he has been rejected doesn't have anything to do with the response of the machine to pings.
Am I right and the how to in the link above is wrong? Am I wrong? or something in between?

I hope to get an answer soon because the security of a system is something really important...

costales (costales) said : #3

Reject & Deny is different about PINGs ;)
Please, read this urls:
https://answers.launchpad.net/ufw/+question/26585
http://ubuntuforums.org/showthread.php?t=773485
Best regards.

Thanks for your answer but again I can't find something that supports what you are saying about the Reject/ Deny rules and the ping answering or not, respectfully.
Even in the ubuntu manuals about the ufw it doesn't mention anything about answering or ignoring a ping...

Seems like that the only way to stop the system from answering the ping's is by edditing the /etc/ufw/before.rules files and comment out the line: -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

costales (costales) said : #5

Please, remember that the free software is a live software :) The evolution is more quickly! :D Maybe some documentation is older. You can feel free for edit and update the wiki :)

About your question, remember that Gufw is a GUI (Graphic User Interface) for ufw, and ufw is a wonderfull frontend for iptables.
You'll secure deny all traffic ;)

If you don't like reply the PINGs, then edit the /etc/ufw/before.rules file :)

Best regards!

costales (costales) said : #6

Ops, in the man pages, you will have information too :)
man ufw
man gufw
:)

Thanks again for answering so quickly!!
I edited the wiki and changed the explanations of the rules. Now I believe are more accurate...
https://help.ubuntu.com/community/Gufw#Enabling

Best regards!

costales (costales) said : #8

Thanks for your help improvement the wiki :D and use Gufw :)
Best regards!

I will use the Gufw, that's for sure...

In fact I wrote a how to of the program at my country's Ubuntu forum.
The inaccuracy to the explanation of Deny/Reject rules spotted a member of our forum, so I started to ask questions and read through the available manuals....
If you know the Greek language you can take a look at our forum: http://forum.ubuntu-gr.org/index.php or even read the how to: http://forum.ubuntu-gr.org/viewtopic.php?f=9&t=5885&p=57684#p57684

costales (costales) said : #10

Thanks very much!!!
I don't know Greek, sorry! But I will go in the future! (not plan)
This summer I did know to Costas in my country, a member of Greek Ubuntu Forum :D He help us in an install party of karmic! :D
Cheers!

costales (costales) said : #11

Panagiotis Ligopsychakis you take it upside down. The correct one is:

Deny : the system simply just ignores all incoming packets
Reject : the system ignores all incoming packets but informs the sender that it has been rejected.

https://help.ubuntu.com/community/Gufw#Enabling is correct

But since you also have made some correction to the link above, so i guess we already have same
understanding about this.

Since i found this page while searching the answer, i think this should be re-emphasised to prevent
some like me before become misleaded.

"Sometimes it is desirable to let the sender know when traffic is being
denied, rather than simply ignoring it. In these cases, use reject
instead of deny" -- man ufw

how to run application in background

costales (costales) said : #14

@Vaibhav: You can't. You have more information here: https://answers.launchpad.net/gui-ufw/+faq/184
Best regards.