Re: Clever firewall rules

From: hvdkooij@vanderkooij.org
Date: 09/17/01


From: hvdkooij@vanderkooij.org
Date: Mon, 17 Sep 2001 07:51:19 +0200 (CEST)
To: focus-linux <focus-linux@lists.securityfocus.com>
Subject: Re: Clever firewall rules
Message-ID: <Pine.LNX.4.33.0109170746460.11258-100000@ultra1.hugo.vanderkooij.org>

On 16 Sep 2001, Scott Gifford wrote:

> On Fri, 14 Sep 2001, Welsh, Armand wrote:
>
> > the big argument I hear is that if you drop packets instead rejecting
> > them, then some systems will pause (timeout) on identd lookups. My
> > attitude is that I don't run identd services, and I think they should
> > not be tied to internet services anyways. On the inside it's nice, but
> > if people are using identd on the internet, too bad. They can timeout.
> > I would rather be in stealth mode, than to advertise to others that I am
> > not accepting the connection.
>
> I don't understand exactly what this is supposed to accomplish; you've
> already advertised your IP address by connecting to the service in
> general, and they're going to know you're not running ident
> eventually; it's just a matter of whether they (and probably you) wait
> 1 second or 30. What information does this hide?

Not much.

> There are legitimate reasons for using ident. From multiuser systems
> in particular, ident lets you block a single user instead of the
> entire server, or lets a sysadmin identify an abusive user from the
> system.

It is known that ident information gathering is something that might as
well be left out as the information can and commonly IS faked. Any
information source that external and can't be verified should not be
trusted at all.

Hence ident is in effect plain useless. But due to it's common use untill
now it is better to reject it then to drop it if you don't want it to pass
through.

Hugo.

-- 
All email send to me is bound to the rules described on my homepage.
    hvdkooij@vanderkooij.org		http://hvdkooij.xs4all.nl/
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.