Recently we have been looking at updating diffscan so that we can scan all TCP ports instead of the nmap top 2000 however the scan is taking some time (>24h) to complete largely because the scans now need to time out on 65k ports instead of 2k ports. We can update the nmap timings to try and bring this time down dramatically and indeed a test using nmaps T5 setting did bring the scan time down to about ~35 minutes however it also added a lot of false positives due to the various timers being too aggressive.
One way that we could speed up the nmap scans is to configure a default REJECT rule at the bottom of our ferm rules. This would mean that the nmap scan would receive a rst for closed ports and much more quickly determine that the port is closed (as appose to filtered when the packet times out). We could restrict such a rule to just the diffscan server however this runs the risk that we have a slightly different picture of reality compared to a truly external actor. As such i wanted to consider adding such a rule for all sources.
The advantage of this is that miss configured servers, our own or community services, would receive a rst packet and allow them to fail fast instead of waiting for the the connection to time out. This would also likely prevent some retry traffic (although likely unnoticeable compared to the larger background)
Regarding the down side @ayounsi already pointed out that this is not desirable on network gear as it means the packet has to first reach the control plane to construct the RST packet instead of responding from the edge. There will also be some additional resources required on hosts for the linux kernel to construct the RST packet. This would also mean that a malicious actor could use us to reflect RST packets however the 40b rst packet comes at a cost of a 60b syn packet. so it would be better to reflect syn/ack (60b) packets from a known open port e.g. 443.
The final point i would make is that although it is recommended via many standards e.g. PCI , ico27002, NIST etc to have a default drop policy i believe the aim is making it harder for a user to enumerate open ports. This is not a concern for us as our firewall rule base is already public via puppet.
Im sure I'm missing something so wanted to create this task to gather thoughts
(i also drafted a quick CR as a starting point)