| 1 |
Am Donnerstag, 8. Januar 2004 21:50 schrieb mir Daniel Privratsky: |
| 2 |
> Oliver Schad wrote: |
| 3 |
> > Am Donnerstag, 8. Januar 2004 18:57 schrieb mir Daniel Privratsky: |
| 4 |
> > What the fuck... |
| 5 |
> > I don't understand this, we want to break internet standards because |
| 6 |
> > some script kids could be (under some circumstances) a little bit |
| 7 |
> > slower with their attacks, which can only be successful, when an |
| 8 |
> > administrator is too stupid to configure his systems. Is that the |
| 9 |
> > argumentation for breaking internet standards? |
| 10 |
> > |
| 11 |
> > *argh* |
| 12 |
> |
| 13 |
> It is not about script kiddies. It's about security philosophy. REJECT |
| 14 |
> means system alive & port closed or firewall in the way and that IS the |
| 15 |
> information. DROP covers it with a fog of uncertainty. |
| 16 |
|
| 17 |
Hey somebody should decide for one argumentation. Now we don't care about |
| 18 |
script kids? Ok, let's take a look to advanced attackers. |
| 19 |
A closed port is a closed port is a closed port. Should an attacker take |
| 20 |
an can opener for it? When I know the port is filtered, this is an |
| 21 |
information too. So what? |
| 22 |
|
| 23 |
> Yas, it's bad to standards. Yes, it's good to security. You can choose |
| 24 |
> what is good to you. |
| 25 |
|
| 26 |
It's good for nothing. |
| 27 |
|
| 28 |
> Same applies to NAT, transparent proxies, syn defenders etc. Bad for |
| 29 |
> pure-internet utopia, but sometimes good for security. |
| 30 |
> And that's what is discussed here. |
| 31 |
|
| 32 |
NAT is no security feature, NAT is still for NAT. If you want to protect a |
| 33 |
network from establishing an connection from outside take a packet |
| 34 |
filter. But that should be treated in another discussion. You can be |
| 35 |
secure and don't break internet standards. You can run proxies, packet |
| 36 |
filters etc. without breaking internet standards. It works fine and you |
| 37 |
don't have to revert to security by obscurity. |
| 38 |
|
| 39 |
> btw: I still don't get it with the icmp "destination unrechable" idea. |
| 40 |
> does it mean, that some ultra tight checkpoint firewall should be |
| 41 |
> reconfigured, to propagete to the outer space it's interfaces just |
| 42 |
> because someone tries to reach non working system? you must be joking. |
| 43 |
|
| 44 |
Reject incoming connections, it works and it agrees with internet |
| 45 |
standards. |
| 46 |
|
| 47 |
mfg |
| 48 |
Oli |
| 49 |
|
| 50 |
|
| 51 |
-- |
| 52 |
gentoo-security@g.o mailing list |
Archives