Gentoo Archives: gentoo-security

From: Ben Cressey <ben@×××××.org>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] firewall suggestions?
Date: Thu, 08 Jan 2004 20:22:57
Message-Id: 012c01c3d624$4bab4c70$7f16010a@na.saralee.com
In Reply to: Re: [gentoo-security] firewall suggestions? by Oliver Schad
> To hide a host is always very stupid, why should you do this? There is no > advantage. If you "hide" your computer an attacker knows there is an > stupid guy who doesn't know anything about network security.
You're rather free with calling people "stupid" with little to no justification. One could as easily turn it around and ask "why should my server reply at all to connection attempts to ports I am not running any services on?" If I am just running a web server, nobody has any business connecting to any port besides 80/tcp and 443/tcp. ICMP traffic is fine, but what legitimate purpose is there in attempting a connection to another tcp port? If I was running another service at that IP address, it would be advertised through the appropriate channels. Users would (obviously) not need to run a port scan to discover it. Since the person is trying to connect to a port they have no business connecting to, I don't see why my server should send out a packet in reply. It's not about hiding the server or some fictitious security gain -- although as someone pointed out replying to potentially spoofed source addresses could be leveraged into some form of DoS attack. While the chances of this are probably not high, they are precisely *zero* if you don't bother to reply in the first place. The issues of "ident lookups" and "difficult to troubleshoot" are in my opinion not relevant. If you are relying on the behavior of REJECT vs DROP to ensure that supported applications behave correctly, you might be better advised to just figure out what network access is necessary in the first place and enable that. As far as RFCs go, the only relevant excerpt I could find was quoted on http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject and seems to only cover the side initiating the connection. That is, IF they get a "REJECT" packet then they should immediately abort the connection and notify the application. If their connection is just dropped and we never tell them, so what? Ben -- gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] firewall suggestions? Frank Gruellich <frank@××××××××××××.org>
Re: [gentoo-security] firewall suggestions? Trevor Lauder <trevor@××××××××××.net>
Re: [gentoo-security] firewall suggestions? Oliver Schad <o.schad@×××.de>