Gentoo Logo

About | Projects | Docs | Forums | Lists | Bugs | Get Gentoo! | Support | Planet | Wiki

Gentoo Spaceship
Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Frank Gruellich <frank@...>
Subject: Re: firewall suggestions?
Date: Fri, 9 Jan 2004 10:00:12 +0100 
* Mark Hurst <mark@...>  9. Jan 04
> > Sorry, but this is completely nonsense.  You should always use the
> > REJECT target.  To simply drop pakets is contrary the standards and
> > hampers net traffic.  If you don't want to talk to me, say so.  Simply
> > remain silent and let me wait is very unpolite.
> So it's nonsense, stupid, unpolite (sic) and brain-dead to default drop
> incoming traffic? OK, if you say so. I must make a note to inform the
> authors of every firewall manual and book i've ever read that they're
> wrong. 

Send me this note, too, 'cause I also use -P DROP.  _But_ because usual
default policies allow only to DROP packts.  This is very okay, because
in this scenario everything missing my rules is something unknown.  To
answer in a specific manner to something unknown is not advisable.  But
if my default policy catches I have done something wrong anyway, cause a
packet traversed my rules I did not consider in my filter design.
Default policies should be used as a kind of fallback (IMHO).

> How exactly does it "hamper net traffic" to let you time out when
> connecting to a closed port?

I have to resend my requests multiple times.  No answer means
(following the RFCs), that the packet was lost due to a malfunction.

> Yeah, top statement there. Your attacker knows no such thing, all he knows
> is he timed out instead of getting rejected instantly. If you try a random
> port on some random IP address and you don't get a host unreachable, do
> you KNOW that it's up?

This or any fault in the network between us.

> Of course you don't, unless you control every router in the world.

This may be the fault: some routers don't behave like routers.

> You should tone down the insults. Trying to show how clever you are by
> being rude is not productive.

As mentioned in other posts I beg your pardon, too.

> Better go now and try to unbind broken services from my external
> interfaces like the braindead root that i am. And play with my filter.
> Thanks for the laughs.

The thread arose from the statement, that even on single hosts a paket
filter used to drop ports increases security more than simply close
ports by stoping services.

 Regards, Frank.
-- 
Sigmentation fault

--
gentoo-security@g.o mailing list
References:
firewall suggestions?
-- Pooh Sun Tzu
Re: firewall suggestions?
-- Mark Hurst
Re: firewall suggestions?
-- Frank Gruellich
Re: firewall suggestions?
-- Mark Hurst
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: firewall suggestions?
Next by thread:
Re: firewall suggestions?
Previous by date:
Re: firewall suggestions?
Next by date:
RE: firewall suggestions?


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.