Discover Firewalls News
Firewalling: Reject vs. Deny, Default-open vs. Default-closed
If you generate an error message (i.e. ICMP unreachable), then the remote end will usually immediately stop trying to connect. This makes detecting some types of port scans more difficult since the remote end will likely send off only one packet, and give up after it receives the first error message. This also makes "shotgun" port scanning (i.e. where the attacker simply tries several thousand ports in rapid order) much easier, since the software will receive a definitive answer as to whether the port is blocked or not. Sending an error message does have several advantages, though, the primary one being to make life more difficult for someone who wants to spoof your IP addresses. Since your firewall is likely to generate ICMP error messages, the victim being attacked (by what looks like packets from your systems) will know something is up. To prevent you from sending error messages the attacker must take you offline, or otherwise act overtly to prevent data getting from the victim's network to yours and back.
The link for this article located at SecurityPortal is no longer available.