1 |
Hello, |
2 |
|
3 |
* Mark Hurst <mark@××××××.net> 8. Jan 04 |
4 |
> It's much better to have a firewall than just have ports not open. Even |
5 |
> though a port is not open it can reveal the presence of your machine by |
6 |
> the manner in which the IP stack responds to a connection attempt. Using a |
7 |
> firewall you can drop those packets, making all your closed ports |
8 |
> invisible. |
9 |
|
10 |
Sorry, but this is completely nonsense. You should always use the |
11 |
REJECT target. To simply drop pakets is contrary the standards and |
12 |
hampers net traffic. If you don't want to talk to me, say so. Simply |
13 |
remain silent and let me wait is very unpolite. |
14 |
|
15 |
And in fact you gain no security in 'hiding' your machine by dropping |
16 |
pakets. If somebody 'tests' your machine and it's off the net, he will |
17 |
get a ICMP host unreachable from your gataway. If he doesn't get any |
18 |
answer, he knows, that it is online and there is an braindead root in |
19 |
front of this machine, knowing nothing about IP, but playing with his |
20 |
filter, so let's see, if it's mis-configured box maybe has an telnet |
21 |
open or any other broken services he wasn't able to unbound from |
22 |
external interfaces. |
23 |
|
24 |
DROP is rarely useful to remove damaged pakets or in combination with |
25 |
the -m --limit condition to prevent some DoS atacks or. |
26 |
|
27 |
Thou shallth not use thy DROP targeth (mostly), |
28 |
regards, Frank. |
29 |
-- |
30 |
Sigmentation fault |
31 |
|
32 |
-- |
33 |
gentoo-security@g.o mailing list |