nerdexam
CompTIA

XK0-004 · Question #503

A technician wants to implement a firewall ACL to block external access to the company's SSH server. Which of the following should the technician implement to configure the firewall so it will inform

The correct answer is B. Use the REJECT option. Firewall rules can either silently discard packets or actively notify the sender - REJECT sends an error response back to the source host informing it that the connection was refused.

Security

Question

A technician wants to implement a firewall ACL to block external access to the company's SSH server. Which of the following should the technician implement to configure the firewall so it will inform the source of the action taken by the ACL?

Options

  • AUse the LOG option
  • BUse the REJECT option
  • CUse the CONNTRACK option
  • DUse the DROP option

How the community answered

(37 responses)
  • A
    3% (1)
  • B
    89% (33)
  • C
    5% (2)
  • D
    3% (1)

Why each option

Firewall rules can either silently discard packets or actively notify the sender - REJECT sends an error response back to the source host informing it that the connection was refused.

AUse the LOG option

LOG records packet information to the system log but takes no action on the packet itself - it does not block or notify the source and is typically combined with another target.

BUse the REJECT optionCorrect

The REJECT target in iptables sends an ICMP 'port unreachable' or TCP RST packet back to the originating host, explicitly informing it that the connection was denied. This active notification is the key distinction from DROP, which silently discards packets with no response. Configuring REJECT on port 22 (SSH) will both block access and communicate the rejection to the external source.

CUse the CONNTRACK option

CONNTRACK (or connection tracking) is a stateful inspection mechanism that tracks connection states, not a terminal target that blocks or notifies traffic sources.

DUse the DROP option

DROP silently discards packets without sending any response to the source, so the sender receives no notification that the traffic was blocked - the opposite of what is required.

Concept tested: iptables REJECT vs DROP firewall response behavior

Source: https://man7.org/linux/man-pages/man8/iptables.8.html

Topics

#iptables#REJECT vs DROP#firewall ACL#SSH access control

Community Discussion

No community discussion yet for this question.

Full XK0-004 Practice