Gentoo Archives: gentoo-security

From: Scott Taylor <scott@××××××××××××××××.net>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] firewall suggestions?
Date: Thu, 08 Jan 2004 22:09:33
In Reply to: Re: [gentoo-security] firewall suggestions? by Paul de Vrieze
Replying in a specific manner which may have been at one point the
proper and polite way for an IP stack to behave, often turns into a
method for abuse. Spoof a bunch of syn packets to a host you know
replies with a rst, and it sends all those extra packets to a victim
machine who never sent the syn packet in the first place. So that
machine sends back "port unreachables" and further clogs up their

Add to that all the silly microsoft products that either blatantly
ignore or just never bothered to read the appropriate RFC... For my
network, I opt to spew out as few replies to unwanted traffic as
possible. I've already got too many worms out there wasting my bandwidth
trying to infect me with the sql slammer or whatever the worm of the day
is. I'd rather not waste any more of my bandwidth telling them that they
can't connect here. They probably aren't even checking for an icmp
unreachable message back from me anyway.

On Thu, 2004-01-08 at 14:11, Paul de Vrieze wrote:
> On Thursday 08 January 2004 21:55, Oliver Schad wrote: > > --------------[RFC 792 - INTERNET CONTROL MESSAGE PROTOCOL]--------- > > / > > > > | If, in the destination host, the IP module cannot deliver the > > | datagram because the indicated protocol module or process port is > > | not active, the destination host may send a destination > > | unreachable message to the source host. > > > > \ > > --------------------------------------------------------------- > > May still means that it is not required, so technically not replying is not an > error when looking only at this snippet. > > Paul
-- Scott Taylor - <scott@××××××××××××××××.net> "Are you all right?" -Leela "Ah, it's nothing a a law suit won't cure." -Bender


File name MIME type
signature.asc application/pgp-signature


Subject Author
Re: [gentoo-security] firewall suggestions? Stewart Honsberger <blkdeath@g.o>
Re: [gentoo-security] firewall suggestions? Frank Gruellich <frank@××××××××××××.org>