| 1 |
> Sorry, but this is completely nonsense. You should always use the |
| 2 |
> REJECT target. To simply drop pakets is contrary the standards and |
| 3 |
> hampers net traffic. If you don't want to talk to me, say so. Simply |
| 4 |
> remain silent and let me wait is very unpolite. |
| 5 |
|
| 6 |
So it's nonsense, stupid, unpolite (sic) and brain-dead to default drop |
| 7 |
incoming traffic? OK, if you say so. I must make a note to inform the |
| 8 |
authors of every firewall manual and book i've ever read that they're |
| 9 |
wrong. |
| 10 |
|
| 11 |
How exactly does it "hamper net traffic" to let you time out when |
| 12 |
connecting to a closed port? |
| 13 |
|
| 14 |
> And in fact you gain no security in 'hiding' your machine by dropping |
| 15 |
> pakets. If somebody 'tests' your machine and it's off the net, he will |
| 16 |
> get a ICMP host unreachable from your gataway. If he doesn't get any |
| 17 |
> answer, he knows, that it is online and there is an braindead root in |
| 18 |
> front of this machine, knowing nothing about IP, but playing with his |
| 19 |
> filter, so let's see, if it's mis-configured box maybe has an telnet |
| 20 |
> open or any other broken services he wasn't able to unbound from |
| 21 |
> external interfaces. |
| 22 |
|
| 23 |
Yeah, top statement there. Your attacker knows no such thing, all he knows |
| 24 |
is he timed out instead of getting rejected instantly. If you try a random |
| 25 |
port on some random IP address and you don't get a host unreachable, do |
| 26 |
you KNOW that it's up? Of course you don't, unless you control every |
| 27 |
router in the world. |
| 28 |
|
| 29 |
You should tone down the insults. Trying to show how clever you are by |
| 30 |
being rude is not productive. |
| 31 |
|
| 32 |
Better go now and try to unbind broken services from my external |
| 33 |
interfaces like the braindead root that i am. And play with my filter. |
| 34 |
Thanks for the laughs. |
| 35 |
|
| 36 |
-- |
| 37 |
gentoo-security@g.o mailing list |
Archives