Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Daniel Privratsky <dsokrates@...>
Subject: Re: firewall suggestions?
Date: Thu, 08 Jan 2004 21:50:51 +0100
Oliver Schad wrote:
> Am Donnerstag, 8. Januar 2004 18:57 schrieb mir Daniel Privratsky:
> 
>>Wrong.
>>
>>1) If you don't receive "destination unreachable" packet, you know
>>nothing about the target host yet. This is not perfect-network world.
>>There can be other fw/router anywhere in the way, killing this type of
>>icmp traffic.
>>
>>2) It slows scans a lot. You can of course do scannig in parallel, but
>>don't be surprised, when you find yourself killed with no mercy by IDS,
>>after matching SYN threshold. 1000+ syns/sec form IP adress to
>>monitored system is sure ban.
> 
> 
> What the fuck...
> I don't understand this, we want to break internet standards because some 
> script kids could be (under some circumstances) a little bit slower with 
> their attacks, which can only be successful, when an administrator is too 
> stupid to configure his systems. Is that the argumentation for breaking 
> internet standards?
> 
> *argh*

It is not about script kiddies. It's about security philosophy. REJECT 
means system alive & port closed or firewall in the way and that IS the 
information. DROP covers it with a fog of uncertainty.
Yas, it's bad to standards. Yes, it's good to security. You can choose 
what is good to you.
Same applies to NAT, transparent proxies, syn defenders etc. Bad for 
pure-internet utopia, but sometimes good for security.
And that's what is discussed here.

btw: I still don't get it with the icmp "destination unrechable" idea. 
does it mean, that some ultra tight checkpoint firewall should be 
reconfigured, to propagete to the outer space it's interfaces just 
because someone tries to reach non working system? you must be joking.

Regards

Daniel

--
gentoo-security@g.o mailing list

Replies:
Re: firewall suggestions?
-- Oliver Schad
References:
firewall suggestions?
-- Pooh Sun Tzu
Re: firewall suggestions?
-- Oliver Schad
Re: firewall suggestions?
-- Daniel Privratsky
Re: firewall suggestions?
-- Oliver Schad
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: firewall suggestions?
Next by thread:
Re: firewall suggestions?
Previous by date:
Re: firewall suggestions?
Next by date:
Re: Changes to traceroute in newest release


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.