Anyone who's familiar with Netfilter could probably skip the first paragraph or two.



Those who aren't familiar with Netfilter and/or Ipchains, I'll try and give you a brief description. Ipchains is a packet-level firewall included with most, if not all, linux distributions. It offers COMPLETE port-based firewalling, such as you might want on a border router for a company's network. Netfilter is an expanded version of ipchains that allows for quite a bit more functionality. It is port-based, but is also a 'stateful firewall', which basically means that it can examine the 'state' of any packets, and then respond in a variety of ways depending on how your firewall is configured.



Ipchains and Netfilter are something that I think EVERYONE who's running a linux distribution at home should know inside out. It's really what can lock down your system and make things quite a bit more secure.

I would suggest anyone interested in a more complete answer to what Netfilter and ipchains are should take a look at the following two pages:

For Netfilter: http://netfilter.samba.org/netfilter-faq.html

For Ipchains: http://www.niemueller.de/webmin/modu...ains-faq.shtml



Now, onto my question.



Those of you who are familiar with ipchans/netfilter will no doubt have certain policies regarding whether you REJECT a packet or whether you DROP/DENY a packet.

My question is: What do you guys prefer and why?
DROP or REJECT, and why?