1 |
Am Donnerstag, 8. Januar 2004 21:16 schrieb mir Ben Cressey: |
2 |
> > To hide a host is always very stupid, why should you do this? There |
3 |
> > is no advantage. If you "hide" your computer an attacker knows there |
4 |
> > is an stupid guy who doesn't know anything about network security. |
5 |
> |
6 |
> You're rather free with calling people "stupid" with little to no |
7 |
> justification. One could as easily turn it around and ask "why should |
8 |
> my server reply at all to connection attempts to ports I am not running |
9 |
> any services on?" |
10 |
|
11 |
--------------[RFC 793 - Transmission Control Protocol]--------- |
12 |
/ |
13 |
| Reset Generation |
14 |
| |
15 |
| As a general rule, reset (RST) must be sent whenever a segment |
16 |
| arrives which apparently is not intended for the current connection. |
17 |
| A reset must not be sent if it is not clear that this is the case. |
18 |
| |
19 |
| There are three groups of states: |
20 |
| |
21 |
| 1. If the connection does not exist (CLOSED) then a reset is sent |
22 |
| in response to any incoming segment except another reset. In |
23 |
| particular, SYNs addressed to a non-existent connection are |
24 |
| rejected by this means. |
25 |
\ |
26 |
--------------------------------------------------------------- |
27 |
|
28 |
--------------[RFC 792 - INTERNET CONTROL MESSAGE PROTOCOL]--------- |
29 |
/ |
30 |
| If, in the destination host, the IP module cannot deliver the |
31 |
| datagram because the indicated protocol module or process port is |
32 |
| not active, the destination host may send a destination |
33 |
| unreachable message to the source host. |
34 |
\ |
35 |
--------------------------------------------------------------- |
36 |
|
37 |
What was your argument? |
38 |
|
39 |
mfg |
40 |
Oli |
41 |
|
42 |
-- |
43 |
gentoo-security@g.o mailing list |