List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
* Mark Hurst <mark@...> 9. Jan 04
> > Sorry, but this is completely nonsense. You should always use the
> > REJECT target. To simply drop pakets is contrary the standards and
> > hampers net traffic. If you don't want to talk to me, say so. Simply
> > remain silent and let me wait is very unpolite.
> So it's nonsense, stupid, unpolite (sic) and brain-dead to default drop
> incoming traffic? OK, if you say so. I must make a note to inform the
> authors of every firewall manual and book i've ever read that they're
Send me this note, too, 'cause I also use -P DROP. _But_ because usual
default policies allow only to DROP packts. This is very okay, because
in this scenario everything missing my rules is something unknown. To
answer in a specific manner to something unknown is not advisable. But
if my default policy catches I have done something wrong anyway, cause a
packet traversed my rules I did not consider in my filter design.
Default policies should be used as a kind of fallback (IMHO).
> How exactly does it "hamper net traffic" to let you time out when
> connecting to a closed port?
I have to resend my requests multiple times. No answer means
(following the RFCs), that the packet was lost due to a malfunction.
> Yeah, top statement there. Your attacker knows no such thing, all he knows
> is he timed out instead of getting rejected instantly. If you try a random
> port on some random IP address and you don't get a host unreachable, do
> you KNOW that it's up?
This or any fault in the network between us.
> Of course you don't, unless you control every router in the world.
This may be the fault: some routers don't behave like routers.
> You should tone down the insults. Trying to show how clever you are by
> being rude is not productive.
As mentioned in other posts I beg your pardon, too.
> Better go now and try to unbind broken services from my external
> interfaces like the braindead root that i am. And play with my filter.
> Thanks for the laughs.
The thread arose from the statement, that even on single hosts a paket
filter used to drop ports increases security more than simply close
ports by stoping services.
email@example.com mailing list