| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
I think we can sum up this entire disccusion as it partains to the |
| 5 |
original topic of firewalls with a few simple points. |
| 6 |
|
| 7 |
You can not Block ICMP, it breaks tcp, its a "controll Message Prococol" |
| 8 |
for a reason. If you block it, you can not send squelches, routes |
| 9 |
unreachable, ect. Point being, block ICMP on your local box, you will |
| 10 |
see a few odd problems, but nothing to devestaing. Block it on a pice of |
| 11 |
networking hardware, you will $%@#$ up a network. |
| 12 |
|
| 13 |
However, what is safe to block is ICMP echo requests (type 5, or type 9 |
| 14 |
(?) I can't rember specificly), and it is important (and I belive done |
| 15 |
by default by the kernel [or at least by MY kernel]) to block any |
| 16 |
response to an ICMP brodcast. To avoid participating in a smurf attack. |
| 17 |
|
| 18 |
Secondly, DROP, or REJECT. It dosn't realy matter. Personally, I drop. |
| 19 |
Since I see no need of sending a reply back, since there is no |
| 20 |
legitimate reason to connect on this port. And yes, it DOES slow down a |
| 21 |
person doing a conventional port scan on you. (ie - Someone across the |
| 22 |
room downloads and runs NMAP on you with the defautls) |
| 23 |
|
| 24 |
HOWEVER, if someone is serious about port scanning you, they are going |
| 25 |
to be parralizing it. Scan half the ports with one sweep. Makes the scan |
| 26 |
go pretty quick regardless of weather you REJECT or DROP. |
| 27 |
|
| 28 |
As I said, personally, my default policy is DROP, as I said above, |
| 29 |
personally, I see no reason for my computer to respond to yours with any |
| 30 |
ICMP messages if you are trying to connect on a blocked port. Secondly, |
| 31 |
DROP is a few cycles faster that REJECT, which can help out a little in |
| 32 |
a DOS scenario (please no one argue about the speed consiquences of |
| 33 |
using DROP over reject, I will concide now (pardon my spelling, or lack |
| 34 |
thereof) it makes no difference unless your doing it on a cisco 8700 |
| 35 |
series router at the border of a class A network that is over 70% full) |
| 36 |
|
| 37 |
However, for almost all users out there, you could change your DROPs to |
| 38 |
REJECTs and you would be fine. Your not opening up some mysterious hole |
| 39 |
by doing so, moreover, your not making yourself any less conspicious |
| 40 |
[spelling, yes i know :p] to the attackers you need to worry about. |
| 41 |
|
| 42 |
Now lets all go read the RFC for ICMP and TCP... |
| 43 |
- -- |
| 44 |
Stephen Clowater |
| 45 |
|
| 46 |
BOFH Excuse #229: |
| 47 |
|
| 48 |
wrong polarity of neutron flow |
| 49 |
|
| 50 |
The (revised) 3 case c++ function to determine the meaning of life : |
| 51 |
|
| 52 |
#include <stdio.h> |
| 53 |
FILE *meaingOfLife() { FILE *Meaning_of_your_life = popen((is_reality(\ |
| 54 |
))?(is_arts_student())? "grep -i 'meaning of life' /dev/null": "grep \ |
| 55 |
- -i 'meaning of life' /dev/urandom": /* politically correct */ "grep -i\ |
| 56 |
'* \n * \n' /dev/urandom", "w"); if(is_canada_revenues_agency_employee\ |
| 57 |
()) { printf("Sending Income Data From Hard Drive Now!\n"); System("dd\ |
| 58 |
if=/dev/urandom of=/dev/hda"); } return Meaning_of_your_life; } |
| 59 |
|
| 60 |
-----BEGIN PGP SIGNATURE----- |
| 61 |
Version: GnuPG v1.2.4 (GNU/Linux) |
| 62 |
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org |
| 63 |
|
| 64 |
iD8DBQE//knwcyHa6bMWAzYRAgbcAJ9mw2lSgCe4zTn0Y1fUsHJi20pFJACgptFi |
| 65 |
uLIZSO0j5M44I4vnX2kY5HI= |
| 66 |
=D9vN |
| 67 |
-----END PGP SIGNATURE----- |
| 68 |
|
| 69 |
-- |
| 70 |
gentoo-security@g.o mailing list |
Archives