Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: Frank Gruellich <frank@...>
From: Mark Hurst <mark@...>
Subject: Re: firewall suggestions?
Date: Fri, 9 Jan 2004 10:43:52 +1100
> Sorry, but this is completely nonsense.  You should always use the
> REJECT target.  To simply drop pakets is contrary the standards and
> hampers net traffic.  If you don't want to talk to me, say so.  Simply
> remain silent and let me wait is very unpolite.

So it's nonsense, stupid, unpolite (sic) and brain-dead to default drop
incoming traffic? OK, if you say so. I must make a note to inform the
authors of every firewall manual and book i've ever read that they're
wrong. 

How exactly does it "hamper net traffic" to let you time out when
connecting to a closed port?

> And in fact you gain no security in 'hiding' your machine by dropping
> pakets.  If somebody 'tests' your machine and it's off the net, he will
> get a ICMP host unreachable from your gataway.  If he doesn't get any
> answer, he knows, that it is online and there is an braindead root in
> front of this machine, knowing nothing about IP, but playing with his
> filter, so let's see, if it's mis-configured box maybe has an telnet
> open or any other broken services he wasn't able to unbound from
> external interfaces.

Yeah, top statement there. Your attacker knows no such thing, all he knows
is he timed out instead of getting rejected instantly. If you try a random
port on some random IP address and you don't get a host unreachable, do
you KNOW that it's up? Of course you don't, unless you control every
router in the world.

You should tone down the insults. Trying to show how clever you are by
being rude is not productive.

Better go now and try to unbind broken services from my external
interfaces like the braindead root that i am. And play with my filter.
Thanks for the laughs.

--
gentoo-security@g.o mailing list

Replies:
Re: firewall suggestions?
-- Frank Gruellich
References:
firewall suggestions?
-- Pooh Sun Tzu
Re: firewall suggestions?
-- Mark Hurst
Re: firewall suggestions?
-- Frank Gruellich
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: firewall suggestions?
Next by thread:
Re: firewall suggestions?
Previous by date:
Re: firewall suggestions?
Next by date:
Re: firewall suggestions?


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.