From owner-freebsd-pf@FreeBSD.ORG  Sat Oct 18 04:50:53 2014
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id AB247F30
 for <pf@freebsd.org>; Sat, 18 Oct 2014 04:50:53 +0000 (UTC)
Received: from mail.pfsense.org (mail.pfsense.org [IPv6:2610:160:11:11::79])
 by mx1.freebsd.org (Postfix) with ESMTP id 842C9E73
 for <pf@freebsd.org>; Sat, 18 Oct 2014 04:50:53 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1])
 by mail.pfsense.org (Postfix) with ESMTP id 42A111FBEB
 for <pf@freebsd.org>; Fri, 17 Oct 2014 23:50:52 -0500 (CDT)
Received: from mail.pfsense.org ([127.0.0.1])
 by localhost (mail.pfsense.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id dndN-DjyKseK for <pf@freebsd.org>;
 Fri, 17 Oct 2014 23:50:51 -0500 (CDT)
Received: from mail-ob0-f175.google.com (mail-ob0-f175.google.com
 [209.85.214.175])
 by mail.pfsense.org (Postfix) with ESMTPSA id BE3F71FBE4
 for <pf@freebsd.org>; Fri, 17 Oct 2014 23:50:51 -0500 (CDT)
Received: by mail-ob0-f175.google.com with SMTP id wn1so1625492obc.20
 for <pf@freebsd.org>; Fri, 17 Oct 2014 21:50:51 -0700 (PDT)
X-Received: by 10.182.112.233 with SMTP id it9mr10540120obb.8.1413607851356;
 Fri, 17 Oct 2014 21:50:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.61.66 with HTTP; Fri, 17 Oct 2014 21:50:31 -0700 (PDT)
In-Reply-To: <1413316498.26781.YahooMailNeo@web160701.mail.bf1.yahoo.com>
References: <1413316498.26781.YahooMailNeo@web160701.mail.bf1.yahoo.com>
From: Chris Buechler <cmb@pfsense.org>
Date: Fri, 17 Oct 2014 23:50:31 -0500
Message-ID: <CAOmxWMUGToF0Ad59SrJypkkJoL7i-x1wm2BzK7V7q-cTe4indA@mail.gmail.com>
Subject: Re: drop vs return
To: Laszlo Danielisz <laszlo_danielisz@yahoo.com>
Content-Type: text/plain; charset=UTF-8
Cc: "pf@freebsd.org" <pf@freebsd.org>
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Oct 2014 04:50:53 -0000

On Tue, Oct 14, 2014 at 2:54 PM, Laszlo Danielisz via freebsd-pf
<freebsd-pf@freebsd.org> wrote:
> Hi,
>
> Which is your set block-policy? Drop or Return?
> And why?
>

Depends on the circumstance. Generally speaking, for traffic sourced
from trusted networks, return so you don't hang applications or
services by blocking their traffic. It's friendlier. For any traffic
sourced from the Internet, or networks with devices that aren't
"trusted" (for whatever your definition of trusted), block so
untrusted machines can't make your firewall generate reply packets
(which will exacerbate a DoS/DDoS, among other potential issues).