Gentoo Logo
Gentoo Spaceship

Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
To: gentoo-security@g.o
From: "Trevor Lauder" <trevor@...>
Subject: Re: firewall suggestions?
Date: Thu, 8 Jan 2004 18:51:05 -0700 (MST)
Ben Cressey said:
>> To hide a host is always very stupid, why should you do this? There is
>> no
>> advantage.  If you "hide" your computer an attacker knows there is an
>> stupid guy who doesn't know anything about network security.
> You're rather free with calling people "stupid" with little to no
> justification. One could as easily turn it around and ask "why should my
> server reply at all to connection attempts to ports I am not running any
> services on?"
> If I am just running a web server, nobody has any business connecting to
> any
> port besides 80/tcp and 443/tcp.  ICMP traffic is fine, but what
> legitimate
> purpose is there in attempting a connection to another tcp port?  If I was
> running another service at that IP address, it would be advertised through
> the appropriate channels.  Users would (obviously) not need to run a port
> scan to discover it.
> Since the person is trying to connect to a port they have no business
> connecting to, I don't see why my server should send out a packet in
> reply.
> It's not about hiding the server or some fictitious security gain  --
> although as someone pointed out replying to potentially spoofed source
> addresses could be leveraged into some form of DoS attack.  While the
> chances of this are probably not high, they are precisely *zero* if you
> don't bother to reply in the first place.

The post above is probably the most logical post on this subject to this
list so far.  No one is slowing down the "net" or causing problems for
other people by using DROP instead of REJECT.  Calling people stupid
because they don't follow your interpretation of the RFC does nothing but
lower your credibility on the subject.  Instead of throwing insults at
people, how about you just stick to sharing valid information?  Like was
said above, people have no reason to connect to a closed port on my
servers.  If I choose to DROP that connection attempt instead of REJECT
it, then that is my choice and I don't really care if it causes problems
for that person.  I see no reason to waste *my* bandwidth in sending a
reply back to a person that most likely has no valid reason for trying to
connect to that closed port.  People might say that it is "polite" to send
a reply back, but why should I be polite to a uninvited and unwanted
connection attempt on a port that isn't even open?


gentoo-security@g.o mailing list

Re: firewall suggestions?
-- Frank Gruellich
Re: firewall suggestions?
-- Oliver Schad
Re: firewall suggestions?
-- Ben Cressey
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: firewall suggestions?
Next by thread:
Re: firewall suggestions?
Previous by date:
Re: firewall suggestions?
Next by date:
Re: firewall suggestions?

Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.