List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
Am Donnerstag, 8. Januar 2004 21:50 schrieb mir Daniel Privratsky:
> Oliver Schad wrote:
> > Am Donnerstag, 8. Januar 2004 18:57 schrieb mir Daniel Privratsky:
> > What the fuck...
> > I don't understand this, we want to break internet standards because
> > some script kids could be (under some circumstances) a little bit
> > slower with their attacks, which can only be successful, when an
> > administrator is too stupid to configure his systems. Is that the
> > argumentation for breaking internet standards?
> > *argh*
> It is not about script kiddies. It's about security philosophy. REJECT
> means system alive & port closed or firewall in the way and that IS the
> information. DROP covers it with a fog of uncertainty.
Hey somebody should decide for one argumentation. Now we don't care about
script kids? Ok, let's take a look to advanced attackers.
A closed port is a closed port is a closed port. Should an attacker take
an can opener for it? When I know the port is filtered, this is an
information too. So what?
> Yas, it's bad to standards. Yes, it's good to security. You can choose
> what is good to you.
It's good for nothing.
> Same applies to NAT, transparent proxies, syn defenders etc. Bad for
> pure-internet utopia, but sometimes good for security.
> And that's what is discussed here.
NAT is no security feature, NAT is still for NAT. If you want to protect a
network from establishing an connection from outside take a packet
filter. But that should be treated in another discussion. You can be
secure and don't break internet standards. You can run proxies, packet
filters etc. without breaking internet standards. It works fine and you
don't have to revert to security by obscurity.
> btw: I still don't get it with the icmp "destination unrechable" idea.
> does it mean, that some ultra tight checkpoint firewall should be
> reconfigured, to propagete to the outer space it's interfaces just
> because someone tries to reach non working system? you must be joking.
Reject incoming connections, it works and it agrees with internet
email@example.com mailing list