Gentoo Archives: gentoo-security

From: Mark Hurst <mark@××××××.net>
To: Frank Gruellich <frank@××××××××××××.org>
Cc: gentoo-security@l.g.o
Subject: Re: [gentoo-security] firewall suggestions?
Date: Thu, 08 Jan 2004 23:49:30
In Reply to: Re: [gentoo-security] firewall suggestions? by Frank Gruellich
> Sorry, but this is completely nonsense. You should always use the > REJECT target. To simply drop pakets is contrary the standards and > hampers net traffic. If you don't want to talk to me, say so. Simply > remain silent and let me wait is very unpolite.
So it's nonsense, stupid, unpolite (sic) and brain-dead to default drop incoming traffic? OK, if you say so. I must make a note to inform the authors of every firewall manual and book i've ever read that they're wrong. How exactly does it "hamper net traffic" to let you time out when connecting to a closed port?
> And in fact you gain no security in 'hiding' your machine by dropping > pakets. If somebody 'tests' your machine and it's off the net, he will > get a ICMP host unreachable from your gataway. If he doesn't get any > answer, he knows, that it is online and there is an braindead root in > front of this machine, knowing nothing about IP, but playing with his > filter, so let's see, if it's mis-configured box maybe has an telnet > open or any other broken services he wasn't able to unbound from > external interfaces.
Yeah, top statement there. Your attacker knows no such thing, all he knows is he timed out instead of getting rejected instantly. If you try a random port on some random IP address and you don't get a host unreachable, do you KNOW that it's up? Of course you don't, unless you control every router in the world. You should tone down the insults. Trying to show how clever you are by being rude is not productive. Better go now and try to unbind broken services from my external interfaces like the braindead root that i am. And play with my filter. Thanks for the laughs. -- gentoo-security@g.o mailing list


Subject Author
Re: [gentoo-security] firewall suggestions? Frank Gruellich <frank@××××××××××××.org>