ufw Linux firewall difference between reject and deny

Using the uncomplicated firewall ufw, I can set ports/services to reject and deny.

For example:

ufw deny www

ufw reject www

Can someone explain to me the difference between the two approaches?

"deny" uses the DROP iptables target, which silently discards incoming packets.

"reject" uses the REJECT iptables target, which sends back an error packet to the sender of the rejected packet.

From the ufw manual page:

> Sometimes it is desirable to let the sender know when traffic is being > denied, rather than simply ignoring it. In these cases, use reject > instead of deny.

From the point of view of the user/program that is trying to connect to your server:

• "deny" will keep the program waiting until the connection attempt times out, some short time later.

• "reject" will produce an immediate and very informative "Connection refused" message.

EDIT:

From a security point of view "deny" is slightly preferrable. It will force every connection from a potential attacker to time-out, thus slowing down the probing of your server.

Experienced and/or determined attackers won't be really affected - they are usually patient and there are several ways to deal with the slow down, anyway. It might discourage the occasional wannabe that did not even bother to read the nmap manual page, though.

"deny" will also save a bit of bandwidth on the uplink by not sending the error packet. This might be important on asymmetric network connections where a DoS attack could simply saturate the - usually narrower - uplink with error packets.

On the other hand, it is a bit more polite to let people know that you are rejecting their connections. A refused connection lets people know that it is most probably a permanent policy decision, rather than e.g. a short-term networking issue.