List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
> Sorry, but this is completely nonsense. You should always use the
> REJECT target. To simply drop pakets is contrary the standards and
> hampers net traffic. If you don't want to talk to me, say so. Simply
> remain silent and let me wait is very unpolite.
So it's nonsense, stupid, unpolite (sic) and brain-dead to default drop
incoming traffic? OK, if you say so. I must make a note to inform the
authors of every firewall manual and book i've ever read that they're
How exactly does it "hamper net traffic" to let you time out when
connecting to a closed port?
> And in fact you gain no security in 'hiding' your machine by dropping
> pakets. If somebody 'tests' your machine and it's off the net, he will
> get a ICMP host unreachable from your gataway. If he doesn't get any
> answer, he knows, that it is online and there is an braindead root in
> front of this machine, knowing nothing about IP, but playing with his
> filter, so let's see, if it's mis-configured box maybe has an telnet
> open or any other broken services he wasn't able to unbound from
> external interfaces.
Yeah, top statement there. Your attacker knows no such thing, all he knows
is he timed out instead of getting rejected instantly. If you try a random
port on some random IP address and you don't get a host unreachable, do
you KNOW that it's up? Of course you don't, unless you control every
router in the world.
You should tone down the insults. Trying to show how clever you are by
being rude is not productive.
Better go now and try to unbind broken services from my external
interfaces like the braindead root that i am. And play with my filter.
Thanks for the laughs.
email@example.com mailing list