REJECT vs DROP Firewall Rules

TL;DR

Using REJECT instead of DROP in your PC firewall rules can help with troubleshooting network issues. REJECT sends an ICMP message back to the sender, letting them know the connection was refused, while DROP silently ignores it. This makes diagnosing problems easier.

Understanding DROP and REJECT

Both DROP and REJECT are used in firewalls to block unwanted network traffic. However, they work differently:

• DROP: Silently discards the packet. The sender receives no response and may time out waiting for a reply.
• REJECT: Sends an ICMP “Destination Unreachable” message back to the sender. This tells them immediately that their connection attempt failed.

Why REJECT is Better for Troubleshooting

When you’re trying to figure out why a network connection isn’t working, REJECT provides valuable feedback. Here’s how:

1. Faster Diagnosis: Instead of waiting for timeouts (which can take minutes), you get an immediate ICMP message indicating the problem.
2. Pinpointing Issues: The ICMP message can help identify if the issue is with your firewall, routing, or something else entirely.
3. Testing Connectivity: You can use REJECT rules to specifically test if a port is blocked by your firewall.

How to Change Rules from DROP to REJECT (Windows Firewall)

Here’s how to change existing firewall rules on Windows:

1. Open Windows Defender Firewall with Advanced Security: Search for it in the Start Menu.
2. Find Your Rule: In the left pane, click “Inbound Rules” or “Outbound Rules”, depending on which direction you want to modify. Locate the rule you want to change.
3. Edit the Rule: Right-click the rule and select “Properties”.
4. Change Action: Go to the “Action” tab. Change the setting from “Block the connection” (which uses DROP) to “Block the connection with ICMP unreachable message” (which uses REJECT).
5. Apply Changes: Click “OK” to save your changes.

How to Create a REJECT Rule (Windows Firewall)

If you need to create a new rule:

1. Open Windows Defender Firewall with Advanced Security: Search for it in the Start Menu.
2. New Rule Wizard: In the left pane, click “New Rule…”.
3. Rule Type: Select “Custom” and click “Next”.
4. Program: Choose whether to apply the rule to a specific program or all programs. Click “Next”.
5. Protocol and Ports: Specify the protocol (TCP, UDP, etc.) and port numbers you want to block. Click “Next”.
6. Scope: Define which IP addresses the rule applies to. Click “Next”.
7. Action: Select “Block the connection with ICMP unreachable message” (REJECT). Click “Next”.
8. Profile: Choose when the rule should be active (Domain, Private, Public networks). Click “Next”.
9. Name and Description: Give your rule a descriptive name. Click “Finish”.

Example using PowerShell

You can also manage firewall rules with PowerShell:

New-NetFirewallRule -DisplayName "Block Port 80 (REJECT)" -Direction Inbound -Protocol TCP -LocalPort 80 -Action Block -ICMPv4Type 3

This command creates a new inbound rule that blocks TCP traffic on port 80 and sends an ICMP unreachable message.

Important Considerations

• Security: While REJECT is helpful for troubleshooting, it does reveal more information to potential attackers than DROP. Consider switching back to DROP once you’ve resolved the issue.
• Network Tools: Use tools like ping and traceroute in conjunction with REJECT rules to diagnose network problems effectively.