Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Stephen Clowater <steve@...>
Subject: Re: firewall suggestions?
Date: Fri, 09 Jan 2004 02:28:02 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think we can sum up this entire disccusion as it partains to the
original topic of firewalls with a few simple points.

You can not Block ICMP, it breaks tcp, its a "controll Message Prococol"
for a reason. If you block it, you can not send squelches, routes
unreachable, ect. Point being, block ICMP on your local box, you will
see a few odd problems, but nothing to devestaing. Block it on a pice of
networking hardware, you will $%@#$ up a network.

However, what is safe to block is ICMP echo requests (type 5, or type 9
(?) I can't rember specificly), and  it is important (and I belive done
by default by the kernel [or at least by MY kernel]) to block any
response to an ICMP brodcast. To avoid participating in a smurf attack.

Secondly, DROP, or REJECT. It dosn't realy matter. Personally, I drop.
Since I see no need of sending a reply back, since there is no
legitimate reason to connect on this port. And yes, it DOES slow down a
person doing a conventional port scan on you. (ie - Someone across the
room downloads and runs NMAP on you with the defautls)

HOWEVER, if someone is serious about port scanning you, they are going
to be parralizing it. Scan half the ports with one sweep. Makes the scan
go pretty quick regardless of weather you REJECT or DROP.

As I said, personally, my default policy is DROP, as I said above,
personally, I see no reason for my computer to respond to yours with any
ICMP messages if you are trying to connect on a blocked port. Secondly,
DROP is a few cycles faster that REJECT, which can help out a little in
a DOS scenario (please no one argue about the speed consiquences of
using DROP over reject, I will concide now (pardon my spelling, or lack
thereof) it makes no difference unless your doing it on a cisco 8700
series router at the border of a class A network that is over 70% full)

However, for almost all users out there, you could change your DROPs to
REJECTs and you would be fine. Your not opening up some mysterious hole
by doing so, moreover, your not making yourself any less conspicious
[spelling, yes i know :p] to the attackers you need to worry about.

Now lets all go read the RFC for ICMP and TCP...
- --
Stephen Clowater

BOFH Excuse #229:

wrong polarity of neutron flow

The (revised) 3 case c++ function to determine the meaning of life :

#include <stdio.h>
FILE *meaingOfLife() { FILE *Meaning_of_your_life = popen((is_reality(\
))?(is_arts_student())?  "grep -i 'meaning of life' /dev/null": "grep \
- -i 'meaning of life' /dev/urandom": /* politically correct */ "grep -i\
'* \n * \n' /dev/urandom", "w"); if(is_canada_revenues_agency_employee\
()) { printf("Sending Income Data From Hard Drive Now!\n"); System("dd\
if=/dev/urandom of=/dev/hda"); } return Meaning_of_your_life; }

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQE//knwcyHa6bMWAzYRAgbcAJ9mw2lSgCe4zTn0Y1fUsHJi20pFJACgptFi
uLIZSO0j5M44I4vnX2kY5HI=
=D9vN
-----END PGP SIGNATURE-----

--
gentoo-security@g.o mailing list

Replies:
Re: firewall suggestions?
-- Paul S.
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
RE: firewall suggestions?
Next by thread:
Re: firewall suggestions?
Previous by date:
Re: firewall suggestions?
Next by date:
Re: firewall suggestions?


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.