Hello,

* Mark Hurst <mark@...>  8. Jan 04
> It's much better to have a firewall than just have ports not open. Even
> though a port is not open it can reveal the presence of your machine by
> the manner in which the IP stack responds to a connection attempt. Using a
> firewall you can drop those packets, making all your closed ports
> invisible.

Sorry, but this is completely nonsense.  You should always use the
REJECT target.  To simply drop pakets is contrary the standards and
hampers net traffic.  If you don't want to talk to me, say so.  Simply
remain silent and let me wait is very unpolite.

And in fact you gain no security in 'hiding' your machine by dropping
pakets.  If somebody 'tests' your machine and it's off the net, he will
get a ICMP host unreachable from your gataway.  If he doesn't get any
answer, he knows, that it is online and there is an braindead root in
front of this machine, knowing nothing about IP, but playing with his
filter, so let's see, if it's mis-configured box maybe has an telnet
open or any other broken services he wasn't able to unbound from
external interfaces.

DROP is rarely useful to remove damaged pakets or in combination with
the -m --limit condition to prevent some DoS atacks or.

Thou shallth not use thy DROP targeth (mostly),
 regards, Frank.
-- 
Sigmentation fault

--
gentoo-security@g.o mailing list