Gentoo Archives: gentoo-security

From: Frank Gruellich <frank@××××××××××××.org>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] firewall suggestions?
Date: Fri, 09 Jan 2004 09:05:39
Message-Id: 20040109090012.GZ4413@home.manuelm.org
In Reply to: Re: [gentoo-security] firewall suggestions? by Mark Hurst
* Mark Hurst <mark@××××××.net>  9. Jan 04
> > Sorry, but this is completely nonsense. You should always use the > > REJECT target. To simply drop pakets is contrary the standards and > > hampers net traffic. If you don't want to talk to me, say so. Simply > > remain silent and let me wait is very unpolite. > So it's nonsense, stupid, unpolite (sic) and brain-dead to default drop > incoming traffic? OK, if you say so. I must make a note to inform the > authors of every firewall manual and book i've ever read that they're > wrong.
Send me this note, too, 'cause I also use -P DROP. _But_ because usual default policies allow only to DROP packts. This is very okay, because in this scenario everything missing my rules is something unknown. To answer in a specific manner to something unknown is not advisable. But if my default policy catches I have done something wrong anyway, cause a packet traversed my rules I did not consider in my filter design. Default policies should be used as a kind of fallback (IMHO).
> How exactly does it "hamper net traffic" to let you time out when > connecting to a closed port?
I have to resend my requests multiple times. No answer means (following the RFCs), that the packet was lost due to a malfunction.
> Yeah, top statement there. Your attacker knows no such thing, all he knows > is he timed out instead of getting rejected instantly. If you try a random > port on some random IP address and you don't get a host unreachable, do > you KNOW that it's up?
This or any fault in the network between us.
> Of course you don't, unless you control every router in the world.
This may be the fault: some routers don't behave like routers.
> You should tone down the insults. Trying to show how clever you are by > being rude is not productive.
As mentioned in other posts I beg your pardon, too.
> Better go now and try to unbind broken services from my external > interfaces like the braindead root that i am. And play with my filter. > Thanks for the laughs.
The thread arose from the statement, that even on single hosts a paket filter used to drop ports increases security more than simply close ports by stoping services. Regards, Frank. -- Sigmentation fault -- gentoo-security@g.o mailing list