Gentoo Archives: gentoo-security

From: Frank Gruellich <frank@××××××××××××.org>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] firewall suggestions?
Date: Thu, 08 Jan 2004 08:07:23
In Reply to: Re: [gentoo-security] firewall suggestions? by Mark Hurst

* Mark Hurst <mark@××××××.net>  8. Jan 04
> It's much better to have a firewall than just have ports not open. Even > though a port is not open it can reveal the presence of your machine by > the manner in which the IP stack responds to a connection attempt. Using a > firewall you can drop those packets, making all your closed ports > invisible.
Sorry, but this is completely nonsense. You should always use the REJECT target. To simply drop pakets is contrary the standards and hampers net traffic. If you don't want to talk to me, say so. Simply remain silent and let me wait is very unpolite. And in fact you gain no security in 'hiding' your machine by dropping pakets. If somebody 'tests' your machine and it's off the net, he will get a ICMP host unreachable from your gataway. If he doesn't get any answer, he knows, that it is online and there is an braindead root in front of this machine, knowing nothing about IP, but playing with his filter, so let's see, if it's mis-configured box maybe has an telnet open or any other broken services he wasn't able to unbound from external interfaces. DROP is rarely useful to remove damaged pakets or in combination with the -m --limit condition to prevent some DoS atacks or. Thou shallth not use thy DROP targeth (mostly), regards, Frank. -- Sigmentation fault -- gentoo-security@g.o mailing list


Subject Author
Re: [gentoo-security] firewall suggestions? Mark Hurst <mark@××××××.net>