| 1 |
Hello, |
| 2 |
|
| 3 |
* Mark Hurst <mark@××××××.net> 8. Jan 04 |
| 4 |
> It's much better to have a firewall than just have ports not open. Even |
| 5 |
> though a port is not open it can reveal the presence of your machine by |
| 6 |
> the manner in which the IP stack responds to a connection attempt. Using a |
| 7 |
> firewall you can drop those packets, making all your closed ports |
| 8 |
> invisible. |
| 9 |
|
| 10 |
Sorry, but this is completely nonsense. You should always use the |
| 11 |
REJECT target. To simply drop pakets is contrary the standards and |
| 12 |
hampers net traffic. If you don't want to talk to me, say so. Simply |
| 13 |
remain silent and let me wait is very unpolite. |
| 14 |
|
| 15 |
And in fact you gain no security in 'hiding' your machine by dropping |
| 16 |
pakets. If somebody 'tests' your machine and it's off the net, he will |
| 17 |
get a ICMP host unreachable from your gataway. If he doesn't get any |
| 18 |
answer, he knows, that it is online and there is an braindead root in |
| 19 |
front of this machine, knowing nothing about IP, but playing with his |
| 20 |
filter, so let's see, if it's mis-configured box maybe has an telnet |
| 21 |
open or any other broken services he wasn't able to unbound from |
| 22 |
external interfaces. |
| 23 |
|
| 24 |
DROP is rarely useful to remove damaged pakets or in combination with |
| 25 |
the -m --limit condition to prevent some DoS atacks or. |
| 26 |
|
| 27 |
Thou shallth not use thy DROP targeth (mostly), |
| 28 |
regards, Frank. |
| 29 |
-- |
| 30 |
Sigmentation fault |
| 31 |
|
| 32 |
-- |
| 33 |
gentoo-security@g.o mailing list |
Archives