Gentoo Archives: gentoo-security

From: Stephen Clowater <steve@×××××××××××××××××.org>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] firewall suggestions?
Date: Fri, 09 Jan 2004 07:30:00
Hash: SHA1

I think we can sum up this entire disccusion as it partains to the
original topic of firewalls with a few simple points.

You can not Block ICMP, it breaks tcp, its a "controll Message Prococol"
for a reason. If you block it, you can not send squelches, routes
unreachable, ect. Point being, block ICMP on your local box, you will
see a few odd problems, but nothing to devestaing. Block it on a pice of
networking hardware, you will $%@#$ up a network.

However, what is safe to block is ICMP echo requests (type 5, or type 9
(?) I can't rember specificly), and  it is important (and I belive done
by default by the kernel [or at least by MY kernel]) to block any
response to an ICMP brodcast. To avoid participating in a smurf attack.

Secondly, DROP, or REJECT. It dosn't realy matter. Personally, I drop.
Since I see no need of sending a reply back, since there is no
legitimate reason to connect on this port. And yes, it DOES slow down a
person doing a conventional port scan on you. (ie - Someone across the
room downloads and runs NMAP on you with the defautls)

HOWEVER, if someone is serious about port scanning you, they are going
to be parralizing it. Scan half the ports with one sweep. Makes the scan
go pretty quick regardless of weather you REJECT or DROP.

As I said, personally, my default policy is DROP, as I said above,
personally, I see no reason for my computer to respond to yours with any
ICMP messages if you are trying to connect on a blocked port. Secondly,
DROP is a few cycles faster that REJECT, which can help out a little in
a DOS scenario (please no one argue about the speed consiquences of
using DROP over reject, I will concide now (pardon my spelling, or lack
thereof) it makes no difference unless your doing it on a cisco 8700
series router at the border of a class A network that is over 70% full)

However, for almost all users out there, you could change your DROPs to
REJECTs and you would be fine. Your not opening up some mysterious hole
by doing so, moreover, your not making yourself any less conspicious
[spelling, yes i know :p] to the attackers you need to worry about.

Now lets all go read the RFC for ICMP and TCP...
- --
Stephen Clowater

BOFH Excuse #229:

wrong polarity of neutron flow

The (revised) 3 case c++ function to determine the meaning of life :

#include <stdio.h>
FILE *meaingOfLife() { FILE *Meaning_of_your_life = popen((is_reality(\
))?(is_arts_student())?  "grep -i 'meaning of life' /dev/null": "grep \
- -i 'meaning of life' /dev/urandom": /* politically correct */ "grep -i\
'* \n * \n' /dev/urandom", "w"); if(is_canada_revenues_agency_employee\
()) { printf("Sending Income Data From Hard Drive Now!\n"); System("dd\
if=/dev/urandom of=/dev/hda"); } return Meaning_of_your_life; }

Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -


gentoo-security@g.o mailing list


Subject Author
Re: [gentoo-security] firewall suggestions? "Paul S." <snafu@××××××××××××.org>