Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Frank Gruellich <frank@...>
Subject: Re: firewall suggestions?
Date: Thu, 8 Jan 2004 09:03:12 +0100
Hello,

* Mark Hurst <mark@...>  8. Jan 04
> It's much better to have a firewall than just have ports not open. Even
> though a port is not open it can reveal the presence of your machine by
> the manner in which the IP stack responds to a connection attempt. Using a
> firewall you can drop those packets, making all your closed ports
> invisible.

Sorry, but this is completely nonsense.  You should always use the
REJECT target.  To simply drop pakets is contrary the standards and
hampers net traffic.  If you don't want to talk to me, say so.  Simply
remain silent and let me wait is very unpolite.

And in fact you gain no security in 'hiding' your machine by dropping
pakets.  If somebody 'tests' your machine and it's off the net, he will
get a ICMP host unreachable from your gataway.  If he doesn't get any
answer, he knows, that it is online and there is an braindead root in
front of this machine, knowing nothing about IP, but playing with his
filter, so let's see, if it's mis-configured box maybe has an telnet
open or any other broken services he wasn't able to unbound from
external interfaces.

DROP is rarely useful to remove damaged pakets or in combination with
the -m --limit condition to prevent some DoS atacks or.

Thou shallth not use thy DROP targeth (mostly),
 regards, Frank.
-- 
Sigmentation fault

--
gentoo-security@g.o mailing list

Replies:
Re: firewall suggestions?
-- Mark Hurst
References:
firewall suggestions?
-- Pooh Sun Tzu
Re: firewall suggestions?
-- Mark Hurst
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: firewall suggestions?
Next by thread:
Re: firewall suggestions?
Previous by date:
Re: firewall suggestions?
Next by date:
Re: firewall suggestions?


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.