Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: Oliver Schad <o.schad@...>
From: Stewart Honsberger <blkdeath@g.o>
Subject: Re: firewall suggestions?
Date: Sat, 31 Jan 2004 04:06:07 -0500
Oliver Schad wrote:
>     --------------[RFC 793 - Transmission Control Protocol]---------
[...]
>     --------------[RFC 792 - INTERNET CONTROL MESSAGE PROTOCOL]---------

> What was your argument?

That the open and honest nature of the Internet's original design isn't 
always the best plan for a security policy.

SMTP and HTTP proxies are open protocols as well, but it's quite 
inadviseable to allow global relaying for either/both service(s).

I don't send anything back to any unexpected port probes because I don't 
want to.

Sure, to some extent it is security through obscurity, but the old 
addage isn't entirely correct. If not for security through obscurity 
we'd all have our PIN numbers sharpie'd on our ATM cards.

Going back to NAT - again, the old "NAT is not security!" addage is an 
over-generalization. One-to-many NAT *IS* inherrently secure. If some 
schmoe behind my NAT router decides to deploy a default install of 
IIS/[4-5], or SQL Server, or even an old Apache or Rsync or MySQL server 
- the outside world will not be able to access said service unless I 
give it permission (deny all, allow some is NAT's model; much 
consumer-level NAT equipment has an option to allow an open system, 
which, thankfully, I've never seen enabled per default), and I assure 
you, I won't until I've verified the security of the install.

DROP versus REJECT isn't a be-all, end-all security mechanism. It is, 
however, one facet of a good security model. As long as people 
understand that, I don't think it's a terribly big issue.

-- 
Stewart Honsberger - http://blackdeath.snerk.org/
To teach is to learn twice.
                 -- Joseph Joubert

--
gentoo-security@g.o mailing list

Replies:
Security without obscurity (was: [gentoo-security] firewall suggestions?)
-- Andrew Ross
References:
Re: firewall suggestions?
-- Oliver Schad
Re: firewall suggestions?
-- Ben Cressey
Re: firewall suggestions?
-- Oliver Schad
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: firewall suggestions?
Next by thread:
Security without obscurity (was: [gentoo-security] firewall suggestions?)
Previous by date:
Re: grsecurity + usermode Linux + skas ?
Next by date:
Re: firewall suggestions?


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.