XK0-004 · Question #503
A technician wants to implement a firewall ACL to block external access to the company's SSH server. Which of the following should the technician implement to configure the firewall so it will inform
The correct answer is B. Use the REJECT option. Firewall rules can either silently discard packets or actively notify the sender - REJECT sends an error response back to the source host informing it that the connection was refused.
Question
A technician wants to implement a firewall ACL to block external access to the company's SSH server. Which of the following should the technician implement to configure the firewall so it will inform the source of the action taken by the ACL?
Options
- AUse the LOG option
- BUse the REJECT option
- CUse the CONNTRACK option
- DUse the DROP option
How the community answered
(37 responses)- A3% (1)
- B89% (33)
- C5% (2)
- D3% (1)
Why each option
Firewall rules can either silently discard packets or actively notify the sender - REJECT sends an error response back to the source host informing it that the connection was refused.
LOG records packet information to the system log but takes no action on the packet itself - it does not block or notify the source and is typically combined with another target.
The REJECT target in iptables sends an ICMP 'port unreachable' or TCP RST packet back to the originating host, explicitly informing it that the connection was denied. This active notification is the key distinction from DROP, which silently discards packets with no response. Configuring REJECT on port 22 (SSH) will both block access and communicate the rejection to the external source.
CONNTRACK (or connection tracking) is a stateful inspection mechanism that tracks connection states, not a terminal target that blocks or notifies traffic sources.
DROP silently discards packets without sending any response to the source, so the sender receives no notification that the traffic was blocked - the opposite of what is required.
Concept tested: iptables REJECT vs DROP firewall response behavior
Source: https://man7.org/linux/man-pages/man8/iptables.8.html
Topics
Community Discussion
No community discussion yet for this question.