It seems that it might be more appropriate to simply have your default firewall rule be to drop incoming traffic, and to then open only those ports you need.<p>If you're using a port whitelist (rather than blacklist), the problem the author identifies shouldn't really exist.
I've always wondered what the actual best practice is with rejection rules. I tend to prefer issuing reset/unreachable since as the article points out it does make the port look like it's truly unused. On the other hand, eliminating the response packets has benefits of its own: the scan takes longer, the system doesn't incur the response overhead and it won't participate in any attack scenario depending on sending responses to a spoofed address.
It depends on what you're worried about as to why you would choose drop vs. reject<p>If you scan only that specific port, a DROP will make the IP address appear unused - so if you're worried about someone scanning purely for port 22 and not anything else, a drop is the better choice.<p>(See: nmap an unused IP address with -P0 to ignore the fact there's no icmp response to show the host is alive, and you get a 'filtered')<p>If you're worried about people that are specifically trying to find see if a service is running on your specific server, a reject + reset might be the better choice.