Gentoo Archives: gentoo-security

From: Petr Chyba <lami@××××××.cz>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] firewall suggestions?
Date: Thu, 08 Jan 2004 15:05:46
Message-Id: 3FFD72FE.6090103@bonbox.cz
In Reply to: Re: [gentoo-security] firewall suggestions? by Oliver Schad
1 Oliver Schad wrote:
2
3 >Am Donnerstag, 8. Januar 2004 13:06 schrieb mir gonzalo:
4 >
5 >
6 >>1/8/04 8:50 AM, Oliver Schad escribio:
7 >>
8 >>
9 >>>Am Mittwoch, 7. Januar 2004 23:05 schrieb mir Mark Hurst:
10 >>>
11 >>>
12 >>>>It's much better to have a firewall than just have ports not open.
13 >>>>Even though a port is not open it can reveal the presence of your
14 >>>>machine by the manner in which the IP stack responds to a connection
15 >>>>attempt. Using a firewall you can drop those packets, making all
16 >>>>your closed ports invisible.
17 >>>>
18 >>>>
19 >>>If you want to invisible, the next router to you have to send an ICMP
20 >>>packet with "host unreachable". If you say nothing anybody with some
21 >>>brain between his ears knows there is a very intelligent guy that
22 >>>want to be invisible.
23 >>>
24 >>>
25 >>AFAIK they appear as "filtered",that's the difference between a closed
26 >>and a filtered port. The first responds with a "negative", the second
27 >>doesn't respond. Am I wrong?
28 >>
29 >>
30 >
31 >That's right. But no answer means there is somebody who doesn't answer.
32 >Only if the last router before the target says "Hey, there is nobody",
33 >then there is nobody (or there is an really intelligent guy, that wants
34 >to hide his host).
35 >
36 >To hide a host is always very stupid, why should you do this? There is no
37 >advantage. If you "hide" your computer an attacker knows there is an
38 >stupid guy who doesn't know anything about network security.
39 >
40 >mfg
41 >Oli
42 >
43 >
44 Well, in this world, not every admin is security guru, nor every cracker is. I agree with arguments stated above, but in my (little) experience I encountered mostly script kiddies. A am sure that experienced cracker can break into my box, because I am not smart enough to secure it at 100% (I know, there is never 100% security, but it can be close). But I guess script kiddie will not see difference between timeout and host unreachable, presuming host is down. Closed port is obvious, that there is box, saying "my port XXX is closed".
45
46 On the other way, attacker often knows host he attacks, because it runs some services, like web server, so dropping packets on other ports doesn't make sense either.
47
48 Anyway, I'll revrite my scripts to REJECT targer, thanks all for another piece of stuff I can put between my ears :-) I didn't think about this problem before.
49
50 Petr Chyba
51
52
53
54 --
55 gentoo-security@g.o mailing list