Gentoo Archives: gentoo-security

From: Daniel Privratsky <dsokrates@××××××.cz>
To: gentoo-security@l.g.o
Cc: o.schad@×××.de
Subject: Re: [gentoo-security] firewall suggestions?
Date: Mon, 12 Jan 2004 23:53:09
In Reply to: Re: [gentoo-security] firewall suggestions? by Oliver Schad
Oliver Schad wrote:
> Am Donnerstag, 8. Januar 2004 18:57 schrieb mir Daniel Privratsky: > >>Wrong. >> >>1) If you don't receive "destination unreachable" packet, you know >>nothing about the target host yet. This is not perfect-network world. >>There can be other fw/router anywhere in the way, killing this type of >>icmp traffic. >> >>2) It slows scans a lot. You can of course do scannig in parallel, but >>don't be surprised, when you find yourself killed with no mercy by IDS, >>after matching SYN threshold. 1000+ syns/sec form IP adress to >>monitored system is sure ban. > > > What the fuck... > I don't understand this, we want to break internet standards because some > script kids could be (under some circumstances) a little bit slower with > their attacks, which can only be successful, when an administrator is too > stupid to configure his systems. Is that the argumentation for breaking > internet standards? > > *argh*
It is not about script kiddies. It's about security philosophy. REJECT means system alive & port closed or firewall in the way and that IS the information. DROP covers it with a fog of uncertainty. Yas, it's bad to standards. Yes, it's good to security. You can choose what is good to you. Same applies to NAT, transparent proxies, syn defenders etc. Bad for pure-internet utopia, but sometimes good for security. And that's what is discussed here. btw: I still don't get it with the icmp "destination unrechable" idea. does it mean, that some ultra tight checkpoint firewall should be reconfigured, to propagete to the outer space it's interfaces just because someone tries to reach non working system? you must be joking. Regards Daniel -- gentoo-security@g.o mailing list


Subject Author
Re: [gentoo-security] firewall suggestions? Oliver Schad <o.schad@×××.de>