Re: Clever firewall rules

From: Scott Gifford (sgifford@tir.com)
Date: 09/16/01

• Previous message: Rob 'Feztaa' Park: "RE: Clever firewall rules"
• Maybe in reply to: Rob 'Feztaa' Park: "Clever firewall rules"
• Next in thread: hvdkooij@vanderkooij.org: "Re: Clever firewall rules"
• Next in thread: Hal Flynn: "Re: Clever firewall rules"
• Reply: hvdkooij@vanderkooij.org: "Re: Clever firewall rules"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

To: focus-linux <focus-linux@lists.securityfocus.com>
Subject: Re: Clever firewall rules
From: Scott Gifford <sgifford@tir.com>
Date: 16 Sep 2001 05:00:20 -0400
Message-ID: <lyelp75x3v.fsf@gfn.org>

On Fri, 14 Sep 2001, Welsh, Armand wrote:

> the big argument I hear is that if you drop packets instead rejecting
> them, then some systems will pause (timeout) on identd lookups. My
> attitude is that I don't run identd services, and I think they should
> not be tied to internet services anyways. On the inside it's nice, but
> if people are using identd on the internet, too bad. They can timeout.
> I would rather be in stealth mode, than to advertise to others that I am
> not accepting the connection.

I don't understand exactly what this is supposed to accomplish; you've
already advertised your IP address by connecting to the service in
general, and they're going to know you're not running ident
eventually; it's just a matter of whether they (and probably you) wait
1 second or 30. What information does this hide?

There are legitimate reasons for using ident. From multiuser systems
in particular, ident lets you block a single user instead of the
entire server, or lets a sysadmin identify an abusive user from the
system.

> Regarding ICMP, I permit ICMP echo-request, and echo-reply. All other
> ICMP packets I reject (excetp for some icmp unreachable packets) so that
> I don't have to timeout on bad routes.

You may have trouble with Path MTU Discovery if you disallow
Must-Fragment, and you might get poorer diagnostics in the event of a
routing loop without Time-Exceeded. The others are all probably
worthy of ignoring, though.

-----ScottG.

---

• Previous message: Rob 'Feztaa' Park: "RE: Clever firewall rules"
• Maybe in reply to: Rob 'Feztaa' Park: "Clever firewall rules"
• Next in thread: hvdkooij@vanderkooij.org: "Re: Clever firewall rules"
• Next in thread: Hal Flynn: "Re: Clever firewall rules"
• Reply: hvdkooij@vanderkooij.org: "Re: Clever firewall rules"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: Clever firewall rules ... > the big argument I hear is that if you drop packets instead rejecting ... then some systems will pause (timeout) on identd lookups. ... (Focus-Linux) Panic at r197214: iwi firmware not idle, state ASSOCIATING ... either run stand-alone or to use the wired xl0 NIC. ... state ASSOCIATING ... data packets ... connections dropped by persist timeout ... (freebsd-current) Re: dummynet dropping too many packets ... There are currently around 4 thousand ISP users online limited by dummynet pipes of various speeds. ... According to netstat -s output around 500-1000 packets are being dropped every second: ... connections dropped by persist timeout ... (freebsd-net) Re: Slow telnet/pop3 connection ... I'm seeing a sequence of ident packets coming from the ... telnet server box. ... (comp.os.linux.networking) Re: [Fedora] Re: iptables: drop or reject? ... things may stall until the connection times out rather than giving up ... was the ident daemon and later on the port itself. ... The problem isn't not running it; the problem is just dropping packets sent ... (Fedora)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)