1 |
> Sorry, but this is completely nonsense. You should always use the |
2 |
> REJECT target. To simply drop pakets is contrary the standards and |
3 |
> hampers net traffic. If you don't want to talk to me, say so. Simply |
4 |
> remain silent and let me wait is very unpolite. |
5 |
|
6 |
So it's nonsense, stupid, unpolite (sic) and brain-dead to default drop |
7 |
incoming traffic? OK, if you say so. I must make a note to inform the |
8 |
authors of every firewall manual and book i've ever read that they're |
9 |
wrong. |
10 |
|
11 |
How exactly does it "hamper net traffic" to let you time out when |
12 |
connecting to a closed port? |
13 |
|
14 |
> And in fact you gain no security in 'hiding' your machine by dropping |
15 |
> pakets. If somebody 'tests' your machine and it's off the net, he will |
16 |
> get a ICMP host unreachable from your gataway. If he doesn't get any |
17 |
> answer, he knows, that it is online and there is an braindead root in |
18 |
> front of this machine, knowing nothing about IP, but playing with his |
19 |
> filter, so let's see, if it's mis-configured box maybe has an telnet |
20 |
> open or any other broken services he wasn't able to unbound from |
21 |
> external interfaces. |
22 |
|
23 |
Yeah, top statement there. Your attacker knows no such thing, all he knows |
24 |
is he timed out instead of getting rejected instantly. If you try a random |
25 |
port on some random IP address and you don't get a host unreachable, do |
26 |
you KNOW that it's up? Of course you don't, unless you control every |
27 |
router in the world. |
28 |
|
29 |
You should tone down the insults. Trying to show how clever you are by |
30 |
being rude is not productive. |
31 |
|
32 |
Better go now and try to unbind broken services from my external |
33 |
interfaces like the braindead root that i am. And play with my filter. |
34 |
Thanks for the laughs. |
35 |
|
36 |
-- |
37 |
gentoo-security@g.o mailing list |