rjordan
Oct 07, 2011Nimbostratus
Disabling Reject Unmatched Packets vs Dropping with a Packet Filter
We have several virtual servers that require external auditing/scanning for various compliance certifications. Some of our compliance vendors assume that the open/filtered state from dropped UDP packets on our routers are indeed open because they get a closed state from rejected packets from the LBs. It is a pretty bad assumption, but we have to deal with it anyway.
I know I can enable the packet filter to explicitly permit the necessary ports and then set Unhandled Packet Action to DISCARD. I'm just worried that I might miss something in my rules and break a bunch of stuff.
The other alternative seems to be setting TM.RejectUnmatched to False. My concern is that I don't know all the scenarios that RSTs are used for. I guess if a client somehow gets out of sync and sends a SYN that it no longer has a connection for, the LB would not send a RST. It would just allow the client to time out? Is anyone else using this option? It is much easier to implement but I don't know if I should be worried any other side effects.