Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: <gentoo-security@g.o>
From: "Ben Cressey" <ben@...>
Subject: Re: firewall suggestions?
Date: Thu, 8 Jan 2004 15:16:26 -0500
> To hide a host is always very stupid, why should you do this? There is no
> advantage.  If you "hide" your computer an attacker knows there is an
> stupid guy who doesn't know anything about network security.

You're rather free with calling people "stupid" with little to no
justification. One could as easily turn it around and ask "why should my
server reply at all to connection attempts to ports I am not running any
services on?"

If I am just running a web server, nobody has any business connecting to any
port besides 80/tcp and 443/tcp.  ICMP traffic is fine, but what legitimate
purpose is there in attempting a connection to another tcp port?  If I was
running another service at that IP address, it would be advertised through
the appropriate channels.  Users would (obviously) not need to run a port
scan to discover it.

Since the person is trying to connect to a port they have no business
connecting to, I don't see why my server should send out a packet in reply.
It's not about hiding the server or some fictitious security gain  -- 
although as someone pointed out replying to potentially spoofed source
addresses could be leveraged into some form of DoS attack.  While the
chances of this are probably not high, they are precisely *zero* if you
don't bother to reply in the first place.

The issues of "ident lookups" and "difficult to troubleshoot" are in my
opinion not relevant.  If you are relying on the behavior of REJECT vs DROP
to ensure that supported applications behave correctly, you might be better
advised to just figure out what network access is necessary in the first
place and enable that.

As far as RFCs go, the only relevant excerpt I could find was quoted on
http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject and seems
to only cover the side initiating the connection.  That is, IF they get a
"REJECT" packet then they should immediately abort the connection and notify
the application.  If their connection is just dropped and we never tell
them, so what?

Ben


--
gentoo-security@g.o mailing list

Replies:
Re: firewall suggestions?
-- Trevor Lauder
Re: firewall suggestions?
-- Frank Gruellich
Re: firewall suggestions?
-- Oliver Schad
References:
Re: firewall suggestions?
-- Oliver Schad
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: firewall suggestions?
Next by thread:
Re: firewall suggestions?
Previous by date:
Re: firewall suggestions?
Next by date:
Re: firewall suggestions?


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.