Re: Differences between closed and filtered portsFrom: Lambott@aol.com
- Previous message: Nicholas Janzen: "RE: IDS Question"
- Maybe in reply to: Bandi: "Differences between closed and filtered ports"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Lambott@aol.com Message-ID: <email@example.com> Date: Sun, 18 Nov 2001 19:21:01 EST Subject: Re: Differences between closed and filtered ports To: SECURITY-BASICS@securityfocus.com
From past experience, I believe the risk associated with using REJECT instead
of Drop/Deny on the Gateway (Firewall or Router), especially to block ICMP,
is that this may well give away the identity of the firewall and leaves it
vulnerable to known exploits (published or unpublished).
Just a thought, so please correct me if I am wrong.
In a message dated 18/11/01 20:38:36 GMT Standard Time, firstname.lastname@example.org
<< Subj: RE: Differences between closed and filtered ports
Date: 18/11/01 20:38:36 GMT Standard Time
From: email@example.com (Golden_Eternity)
To: firstname.lastname@example.org (Bandi), SECURITY-BASICS@SECURITYFOCUS.COM
> I recently thought about the following. If a port is closed the host
> refuses the connection. What does the host exactly response?
It sends a reset.
> Is it necessary that the host responses on a closed port (couldn't that be
> managed in some way with timeouts)?
If the host is alive it sends back a reset so that you don't have to wait
for the timeout, otherwise the application would be stalled waiting for the
> Could you suggest a way to make ipchains act like a port was closed when
> filtering it, so that a portscanner from certain machines wouldn't notice
> the firewall?
Use '-j REJECT' instead of '-j DROP'.
For more info on this subject you can see my paper "Firewall rule exposure
on ACK based filters" (http://www.bhodisoft.com/Sec/ba-2001-02.html) but
your best bet is one of Fyodor's papers on how nmap
----------------------- Headers --------------------------------
Received: from rly-yc05.mx.aol.com (rly-yc05.mail.aol.com [172.18.149.37])
by air-yc05.mail.aol.com (v82.22) with ESMTP id MAILINYC53-1118153836; Sun,
18 Nov 2001 15:38:36 -0500
Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com
[22.214.171.124]) by rly-yc05.mx.aol.com (v82.22) with ESMTP id
MAILRELAYINYC57-1118153824; Sun, 18 Nov 2001 15:38:24 -0500
Received: from lists.securityfocus.com (lists.securityfocus.com
by outgoing.securityfocus.com (Postfix) with QMQP
id 81E96A3114; Sun, 18 Nov 2001 12:19:32 -0700 (MST)
Mailing-List: contact email@example.com; run by ezmlm
Delivered-To: mailing list firstname.lastname@example.org
Delivered-To: moderator for email@example.com
Received: (qmail 11231 invoked from network); 15 Nov 2001 16:53:20 -0000
From: "Golden_Eternity" <firstname.lastname@example.org>
To: "Bandi" <email@example.com>, <SECURITY-BASICS@SECURITYFOCUS.COM>
Subject: RE: Differences between closed and filtered ports
Date: Thu, 15 Nov 2001 08:53:06 -0800
X-Priority: 3 (Normal)
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000