Gentoo Archives: gentoo-security

From: Oliver Schad <o.schad@×××.de>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] firewall suggestions?
Date: Thu, 08 Jan 2004 23:24:45
In Reply to: Re: [gentoo-security] firewall suggestions? by Daniel Privratsky
Am Donnerstag, 8. Januar 2004 21:50 schrieb mir Daniel Privratsky:
> Oliver Schad wrote: > > Am Donnerstag, 8. Januar 2004 18:57 schrieb mir Daniel Privratsky: > > What the fuck... > > I don't understand this, we want to break internet standards because > > some script kids could be (under some circumstances) a little bit > > slower with their attacks, which can only be successful, when an > > administrator is too stupid to configure his systems. Is that the > > argumentation for breaking internet standards? > > > > *argh* > > It is not about script kiddies. It's about security philosophy. REJECT > means system alive & port closed or firewall in the way and that IS the > information. DROP covers it with a fog of uncertainty.
Hey somebody should decide for one argumentation. Now we don't care about script kids? Ok, let's take a look to advanced attackers. A closed port is a closed port is a closed port. Should an attacker take an can opener for it? When I know the port is filtered, this is an information too. So what?
> Yas, it's bad to standards. Yes, it's good to security. You can choose > what is good to you.
It's good for nothing.
> Same applies to NAT, transparent proxies, syn defenders etc. Bad for > pure-internet utopia, but sometimes good for security. > And that's what is discussed here.
NAT is no security feature, NAT is still for NAT. If you want to protect a network from establishing an connection from outside take a packet filter. But that should be treated in another discussion. You can be secure and don't break internet standards. You can run proxies, packet filters etc. without breaking internet standards. It works fine and you don't have to revert to security by obscurity.
> btw: I still don't get it with the icmp "destination unrechable" idea. > does it mean, that some ultra tight checkpoint firewall should be > reconfigured, to propagete to the outer space it's interfaces just > because someone tries to reach non working system? you must be joking.
Reject incoming connections, it works and it agrees with internet standards. mfg Oli -- gentoo-security@g.o mailing list