Re: Clever firewall rules

From: Scott Gifford (sgifford@tir.com)
Date: 09/16/01


To: focus-linux <focus-linux@lists.securityfocus.com>
Subject: Re: Clever firewall rules
From: Scott Gifford <sgifford@tir.com>
Date: 16 Sep 2001 05:00:20 -0400
Message-ID: <lyelp75x3v.fsf@gfn.org>

On Fri, 14 Sep 2001, Welsh, Armand wrote:

> the big argument I hear is that if you drop packets instead rejecting
> them, then some systems will pause (timeout) on identd lookups. My
> attitude is that I don't run identd services, and I think they should
> not be tied to internet services anyways. On the inside it's nice, but
> if people are using identd on the internet, too bad. They can timeout.
> I would rather be in stealth mode, than to advertise to others that I am
> not accepting the connection.

I don't understand exactly what this is supposed to accomplish; you've
already advertised your IP address by connecting to the service in
general, and they're going to know you're not running ident
eventually; it's just a matter of whether they (and probably you) wait
1 second or 30. What information does this hide?

There are legitimate reasons for using ident. From multiuser systems
in particular, ident lets you block a single user instead of the
entire server, or lets a sysadmin identify an abusive user from the
system.

> Regarding ICMP, I permit ICMP echo-request, and echo-reply. All other
> ICMP packets I reject (excetp for some icmp unreachable packets) so that
> I don't have to timeout on bad routes.

You may have trouble with Path MTU Discovery if you disallow
Must-Fragment, and you might get poorer diagnostics in the event of a
routing loop without Time-Exceeded. The others are all probably
worthy of ignoring, though.

-----ScottG.



Relevant Pages