Gentoo Archives: gentoo-security

From: Trevor Lauder <trevor@××××××××××.net>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] firewall suggestions?
Date: Fri, 09 Jan 2004 01:58:43
Message-Id: 65097.68.144.33.43.1073613065.squirrel@webmail.thelauders.net
In Reply to: Re: [gentoo-security] firewall suggestions? by Ben Cressey
Ben Cressey said:
>> To hide a host is always very stupid, why should you do this? There is >> no >> advantage. If you "hide" your computer an attacker knows there is an >> stupid guy who doesn't know anything about network security. > > You're rather free with calling people "stupid" with little to no > justification. One could as easily turn it around and ask "why should my > server reply at all to connection attempts to ports I am not running any > services on?" > > If I am just running a web server, nobody has any business connecting to > any > port besides 80/tcp and 443/tcp. ICMP traffic is fine, but what > legitimate > purpose is there in attempting a connection to another tcp port? If I was > running another service at that IP address, it would be advertised through > the appropriate channels. Users would (obviously) not need to run a port > scan to discover it. > > Since the person is trying to connect to a port they have no business > connecting to, I don't see why my server should send out a packet in > reply. > It's not about hiding the server or some fictitious security gain -- > although as someone pointed out replying to potentially spoofed source > addresses could be leveraged into some form of DoS attack. While the > chances of this are probably not high, they are precisely *zero* if you > don't bother to reply in the first place. >
The post above is probably the most logical post on this subject to this list so far. No one is slowing down the "net" or causing problems for other people by using DROP instead of REJECT. Calling people stupid because they don't follow your interpretation of the RFC does nothing but lower your credibility on the subject. Instead of throwing insults at people, how about you just stick to sharing valid information? Like was said above, people have no reason to connect to a closed port on my servers. If I choose to DROP that connection attempt instead of REJECT it, then that is my choice and I don't really care if it causes problems for that person. I see no reason to waste *my* bandwidth in sending a reply back to a person that most likely has no valid reason for trying to connect to that closed port. People might say that it is "polite" to send a reply back, but why should I be polite to a uninvited and unwanted connection attempt on a port that isn't even open? Trevor -- gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] firewall suggestions? Frank Gruellich <frank@××××××××××××.org>