Gentoo Logo

About | Projects | Docs | Forums | Lists | Bugs | Get Gentoo! | Support | Planet | Wiki

Gentoo Spaceship
Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: <gentoo-security@g.o>
From: Oliver Schad <o.schad@...>
Subject: Re: firewall suggestions?
Date: Fri, 9 Jan 2004 00:13:58 +0100 
Am Donnerstag, 8. Januar 2004 21:50 schrieb mir Daniel Privratsky:
> Oliver Schad wrote:
> > Am Donnerstag, 8. Januar 2004 18:57 schrieb mir Daniel Privratsky:
> > What the fuck...
> > I don't understand this, we want to break internet standards because
> > some script kids could be (under some circumstances) a little bit
> > slower with their attacks, which can only be successful, when an
> > administrator is too stupid to configure his systems. Is that the
> > argumentation for breaking internet standards?
> >
> > *argh*
>
> It is not about script kiddies. It's about security philosophy. REJECT
> means system alive & port closed or firewall in the way and that IS the
> information. DROP covers it with a fog of uncertainty.

Hey somebody should decide for one argumentation. Now we don't care about 
script kids? Ok, let's take a look to advanced attackers.
A closed port is a closed port is a closed port. Should an attacker take 
an can opener for it? When I know the port is filtered, this is an 
information too. So what?

> Yas, it's bad to standards. Yes, it's good to security. You can choose
> what is good to you.

It's good for nothing.

> Same applies to NAT, transparent proxies, syn defenders etc. Bad for
> pure-internet utopia, but sometimes good for security.
> And that's what is discussed here.

NAT is no security feature, NAT is still for NAT. If you want to protect a 
network from establishing an connection from outside take a packet 
filter. But that should be treated in another discussion. You can be 
secure and don't break internet standards. You can run proxies, packet 
filters etc. without breaking internet standards. It works fine and you 
don't have to revert to security by obscurity.

> btw: I still don't get it with the icmp "destination unrechable" idea.
> does it mean, that some ultra tight checkpoint firewall should be
> reconfigured, to propagete to the outer space it's interfaces just
> because someone tries to reach non working system? you must be joking.

Reject incoming connections, it works and it agrees with internet 
standards.

mfg
Oli


--
gentoo-security@g.o mailing list
References:
firewall suggestions?
-- Pooh Sun Tzu
Re: firewall suggestions?
-- Oliver Schad
Re: firewall suggestions?
-- Daniel Privratsky
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: firewall suggestions?
Next by thread:
Re: firewall suggestions?
Previous by date:
Re: firewall suggestions?
Next by date:
Re: firewall suggestions?


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.