RE: NAT, Internet access and security

From: Wesley Song (
Date: 01/11/02

From: "Wesley Song" <>
To: <>
Date: Fri, 11 Jan 2002 11:03:27 -0700

The purpose of the stealth rule is so that when they ping the IP of the
firewall it will not respond. If you have other servers, then they
should be on different IPs and should be redirected through the
firewall. The purpose of this is so that if you have your firewall
setup, then they can't hack the firewall itself. If you have a
webserver for instance, then they can still hack the webserver. This is
the reason for hardening and for the vigilance to patch the OS that runs
the webserver. A firewall is not a cureall, it does a specific job, to
control traffic. If you want better protection on any server that has a
window to the outside world through your firewall, you might want to
think about an IDS

Wesley Song
Systems/Network Adinistrator
Atlas Support Centers
303.692.0451 x270

-----Original Message-----
From: ___cliff rayman___ []
Sent: Wednesday, January 09, 2002 6:33 PM
To: Bourque Daniel;
Subject: Re: NAT, Internet access and security

Bourque Daniel wrote:

> Normally, you want your FW to be as invisible as possible (black hole)
> you just drop all incoming packet that are not specifically allowed in
by a
> rule. What you can't see can only be attack by guessing. Rejecting
> back information to the bad guy...

i think it is a black hole only if it does not respond on any port. that
every port is drop (deny). of couse, in that case, nothing gets through
the network. if you drop packets on most ports, but allow some in on
others, you are telling the "bad guys" that you are using a firewall
and that you drop packets instead of reject them.

if you reject packets, then you might just be a host that does not have
that service running. in either case, i don't think it is going to make
much of a difference to most "bad guys", since they will just try and
hack you on the ports that are open in any case.

> In the case of a smtp mail server, it's better to reject incoming
> request otherwise, you will have timeout problem with the smtp
delivery of
> your mail going out to some servers..

this is true!

> I had heard that it is better to have a 'reject' rule instead of a
> 'deny' one, as reject will give back an immediate reply to the
> interrogator, while just rejecting the query can give you a multitude
> 'retry', which can eat you bandwidth with lots and lots of retries. If
> possible, can somebody point me where can I get correct information on
> this (white papers, hints, tips, anything..)
> Nick wrote:
> > I was under the impression that the "stealth rule" was to have
> > going directly to your Firewall dropped, therefore making your FW's
> > addess a "black hole". It never answers anything, except what you
> > specifically allow for management purposes.

___cliff rayman___cliff@genwax.com___

Relevant Pages

  • Re: Help In network configuration.
    ... port of a router. ... 2] I will run a cable from Internal Port of router to the ... external port of firewall. ... Servers Switch. ...
  • Re: What is this?
    ... >This event is generated when TCP traffic to port 0 is detected. ... This fails on a properly set up firewall. ... accessible DNS servers - one in the DMZ, and two located at our upstream. ... All internal DNS requests go to servers behind the firewall, ...
  • Re: terminal services quirkyness question
    ... When you ssh into your Firewall you are Basically inside your Network ... will have to change the default port that TS listens too... ... Open the Ports in your Firewall and Point them to your servers, ...
  • Re: Please Help
    ... > protection with a single firewall so you need to be real thorough. ... > addresses on the external ethernet adapter to publish both webservers on ... > run on a different port. ... This way you can put your lan and servers on separate subnets ...
  • RE: Slow user logon on Terminal server after migration to Windows 2003
    ... The Terminal Servers are 2000 or 2003. ... "Inside the firewall zone" means that the Citrix Servers have a firewall ... available RPC ports? ...