Surely what you want to do is not tell someone the sevice doesn't exist, but rather not tell them anything? If you drop the packet they don't even know that the port exists, not that the port exists and is configured not to let them access it.
Any port scanner worth the two minutes it takes to install will very easily tell you that the machine you are querying exists and is FIREWALLED when you DROP packets. In fact, ports where firewalls drop packets are labelled by nmap (arguably one of the most common and prolific port scanners around) as firewalled. Refusing a connection will keep a maliscious intender guessing for a lot longer until they get bored and go away. This will be the case with script kiddies, but any advanced hacker is not going to be deterred by filtered ports anyways, there are far more simplistic methods to break into somebodies network. The saying goes "A directed attack, whether it is Denial of Service or information theft is virtually impossible to stop. Much like a car alarm, the firewall acts as a deterrent, but the experienced and determined thief will get your car eventually." # DROPing (which is the default) will make portscans and attacks much # slower, as no replies to the packets will be sent. REJECTing means, that # for every illegal packet, a connection reject packet is sent to the # sender. Yes, as I said, this causes extra bandwidth useage, but it is so little anyways. A half decent probe would be trying to avoid detection by spacing packets, randomising ports, connecting from different machines etc, all in all the time is usually an extended period, so the impact is minimal.
Dropping packets is actually a line of defense, and you really should use it.
Depending on your view. Security through obscurity is a well practised artform. simple stuff like, never use port 22 for SSH, use 36789 or whatever, but something well above 20000. Running a port scan on all 65535 ports is a very time and resource consuming thing, so keep any service off its default port where you can. anyways, my point is that the less information you can gather about a target system, the more time and resource has to be used to achieve your goal. DROPping packets shortens that time. They know the firewall exists. They know that because there is a firewall, there is "quite probably" an [adequate] installation of something, so get the fingerprints and start looking for default installed apps. My view, your view, we are both right. :) Barry