Re: Differences between closed and filtered ports

From: Lambott@aol.com
Date: 11/19/01


From: Lambott@aol.com
Message-ID: <a1.1e738919.2929aa6d@aol.com>
Date: Sun, 18 Nov 2001 19:21:01 EST
Subject: Re: Differences between closed and filtered ports
To: SECURITY-BASICS@securityfocus.com

From past experience, I believe the risk associated with using REJECT instead
of Drop/Deny on the Gateway (Firewall or Router), especially to block ICMP,
is that this may well give away the identity of the firewall and leaves it
vulnerable to known exploits (published or unpublished).

Just a thought, so please correct me if I am wrong.

Cheers!

T.Lambo, CISSP

In a message dated 18/11/01 20:38:36 GMT Standard Time, bhodi_jabir@yahoo.com
writes:

<< Subj: RE: Differences between closed and filtered ports
 Date: 18/11/01 20:38:36 GMT Standard Time
 From: bhodi_jabir@yahoo.com (Golden_Eternity)
 To: 05.08@web.de (Bandi), SECURITY-BASICS@SECURITYFOCUS.COM
 
> I recently thought about the following. If a port is closed the host
> refuses the connection. What does the host exactly response?
 
 It sends a reset.
 
> Is it necessary that the host responses on a closed port (couldn't that be
> managed in some way with timeouts)?
 
 If the host is alive it sends back a reset so that you don't have to wait
 for the timeout, otherwise the application would be stalled waiting for the
 timeout.
 
> Could you suggest a way to make ipchains act like a port was closed when
> filtering it, so that a portscanner from certain machines wouldn't notice
> the firewall?
 
 Use '-j REJECT' instead of '-j DROP'.
 
 For more info on this subject you can see my paper "Firewall rule exposure
 on ACK based filters" (http://www.bhodisoft.com/Sec/ba-2001-02.html) but
 your best bet is one of Fyodor's papers on how nmap
 (http://www.insecure.org/nmap/) works.
 
 -G_E
 
 
 
 
 ----------------------- Headers --------------------------------
 Return-Path: <security-basics-return-5791-lambott=aol.com@securityfocus.com>
 Received: from rly-yc05.mx.aol.com (rly-yc05.mail.aol.com [172.18.149.37])
by air-yc05.mail.aol.com (v82.22) with ESMTP id MAILINYC53-1118153836; Sun,
18 Nov 2001 15:38:36 -0500
 Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com
[66.38.151.27]) by rly-yc05.mx.aol.com (v82.22) with ESMTP id
MAILRELAYINYC57-1118153824; Sun, 18 Nov 2001 15:38:24 -0500
 Received: from lists.securityfocus.com (lists.securityfocus.com
[66.38.151.19])
    by outgoing.securityfocus.com (Postfix) with QMQP
    id 81E96A3114; Sun, 18 Nov 2001 12:19:32 -0700 (MST)
 Mailing-List: contact security-basics-help@securityfocus.com; run by ezmlm
 Precedence: bulk
 List-Id: <security-basics.list-id.securityfocus.com>
 List-Post: <mailto:security-basics@securityfocus.com>
 List-Help: <mailto:security-basics-help@securityfocus.com>
 List-Unsubscribe: <mailto:security-basics-unsubscribe@securityfocus.com>
 List-Subscribe: <mailto:security-basics-subscribe@securityfocus.com>
 Delivered-To: mailing list security-basics@securityfocus.com
 Delivered-To: moderator for security-basics@securityfocus.com
 Received: (qmail 11231 invoked from network); 15 Nov 2001 16:53:20 -0000
 From: "Golden_Eternity" <bhodi_jabir@yahoo.com>
 To: "Bandi" <05.08@web.de>, <SECURITY-BASICS@SECURITYFOCUS.COM>
 Subject: RE: Differences between closed and filtered ports
 Date: Thu, 15 Nov 2001 08:53:06 -0800
 Message-ID: <BAECKHLFBCDACOFIIOLBMEHGCAAA.bhodi_jabir@yahoo.com>
 MIME-Version: 1.0
 Content-Type: text/plain;
    charset="US-ASCII"
 Content-Transfer-Encoding: 7bit
 X-Priority: 3 (Normal)
 X-MSMail-Priority: Normal
 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
 In-reply-to: <Pine.LNX.4.21.0111131722340.615-100000@tor.not.mil>
 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
 Importance: Normal
 
>>