RE: Iptables Clues and Advices.

From: Allan Schon (allanschon@mckinleymachinery.com)
Date: 04/09/03

  • Next message: Steve Bremer: "RE: Iptables Clues and Advices." 
    Date: Wed, 9 Apr 2003 09:54:28 -0400
From: "Allan Schon" <allanschon@mckinleymachinery.com>
To: <security-basics@securityfocus.com>

    OK, so I was gonna fire off a response that argued that the advantages to REJECT mentioned in the article weren't very useful, but I Googled the topic, and came up with another advantage to REJECT. If you are sending out the host-unreachable response, an attacker will have a tough time spoofing your IP address, unless he can take your computer down, somehow.

    http://www.linuxsecurity.com/articles/firewalls_article-3055.html

    DROP seems more secure, on cursory examination, but the more I dig into it, the more I think that REJECTing might be a better policy. I may be reconfiguring my firewall this evening...

    Anyone else have any insight into this topic?

    -----Original Message-----
    From: Jason Dixon [mailto:jasondixon@myrealbox.com]
    Sent: Tuesday, April 08, 2003 12:20 PM
    To: gillettdavid@fhda.edu
    Cc: security-basics@securityfocus.com
    Subject: RE: Iptables Clues and Advices.

    For all the folks who illusion that DROP is more secure than REJECT, I
    submit the following:

    http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject

    -J.

    On Mon, 2003-04-07 at 20:03, David Gillett wrote:
    > There is ONE specific case in which I REJECT rather than
    > DROP filtered packets:
    >
    > Sometimes users behind my firewall need to contact an outside
    > POP3 email server. Many such boxes react to such connections by
    > attempting a connection back to the source on port 113 (identd).
    > If I DROP connections to this port, the remote POP3 server
    > will wait for its request to timeout -- and then try again and
    > timeout again, two more times. By REJECTing the connection, I
    > let the server try and fail and try and fail immediately, and so
    > my client's download of mail begins much sooner than it would
    > if I just DROPped those packets.
    >
    > David Gillett
    >
    >
    > > -----Original Message-----
    > > From: Allan Schon [mailto:allanschon@mckinleymachinery.com]
    > > Sent: April 7, 2003 08:53
    > > To: security-basics@securityfocus.com
    > > Subject: RE: Iptables Clues and Advices.
    > >
    > >
    > > >it will also result into a mess, because the server will be a
    > > >hole in space (regarding the blocked ports). And what are
    > > the benefits
    > > >(if there are any) of this practice?
    > >
    > > Well, the primary benefit is that attackers scanning for
    > > specific open ports in your ip range will never find your
    > > machine, if you're dropping connection attempts to the target
    > > port. That's a considerable advantage, I think. They can't
    > > attack you if they don't know you're there.
    > >
    > > Are there any specific disadvantages to DROPing?
    > >
    > > -----Original Message-----
    > > From: Andreas Happe [mailto:andreashappe@gmx.net]
    > > Sent: Saturday, April 05, 2003 5:29 PM
    > > To: security-basics@securityfocus.com
    > > Subject: Re: Iptables Clues and Advices.
    > >
    > >
    > > In article <1049484753.24055.41.camel@unsigned.local.fr>,
    > > Pierre BETOUIN wrote:
    > > > DROP would be better there because you don't need to
    > > prevent attackers
    > > > that this port is filtered.
    > >
    > > it will also result into a mess, because the server will be a
    > > hole in space (regarding the blocked ports). And what are the benefits
    > > (if there are any) of this practice?
    > >
    > > andreas
    > > --
    > > I tell them to turn to the study of mathematics, for it is only there
    > > that they might escape the lusts of the flesh.
    > > -- Thomas Mann, "The Magic Mountain"
    > >
    > >
    > > -------------------------------------------------------------------
    > > SurfControl E-mail Filter puts the brakes on spam,
    > > viruses and malicious code. Safeguard your business
    > > critical communications. Download a free 30-day trial:
    > > http://www.securityfocus.com/SurfControl-security-basics
    > >
    > >
    > > <b>
    > > -------------------------------------------------------------------
    > > Is SPAM over-loading your e-mail server, disk space or bandwidth?
    > > SurfControl E-Mail Filter is flexible, intelligent and policy-driven
    > > protection.
    > > http://www.securityfocus.com/SurfControl-security-basics2
    > > Download your free fully functional trial, complete with
    > > 30-days of free technical support.
    > > Stop SPAM before it stops you.
    > > -------------------------------------------------------------------
    > > </b>
    > >
    >
    > ----
    >

    > <b>
    > -------------------------------------------------------------------
    > Is SPAM over-loading your e-mail server, disk space or bandwidth?
    > SurfControl E-Mail Filter is flexible, intelligent and policy-driven
    > protection.
    > http://www.securityfocus.com/SurfControl-security-basics2
    > Download your free fully functional trial, complete with 30-days of free technical support.
    > Stop SPAM before it stops you.
    > -------------------------------------------------------------------
    > </b>

    -------------------------------------------------------------------
    Is SPAM over-loading your e-mail server, disk space or bandwidth?
    SurfControl E-Mail Filter is flexible, intelligent and policy-driven
    protection.
    http://www.securityfocus.com/SurfControl-security-basics2
    Download your free fully functional trial, complete with 30-days of free technical support.
    Stop SPAM before it stops you.
    -------------------------------------------------------------------

    -------------------------------------------------------------------
    Is SPAM over-loading your e-mail server, disk space or bandwidth?
    SurfControl E-Mail Filter is flexible, intelligent and policy-driven
    protection.
    http://www.securityfocus.com/SurfControl-security-basics2
    Download your free fully functional trial, complete with 30-days of free technical support.
    Stop SPAM before it stops you.
    -------------------------------------------------------------------

  • Next message: Steve Bremer: "RE: Iptables Clues and Advices."

    Relevant Pages

    • Re: Please do something about OE!!
      ... > until the listing encounters one of the SPAM emails- and then, ... > Your server has unexpectedly terminated the connection. ... > Comcast- go in and delete the SPAM via the web then download to OE (btw- ... > running NAV. ...
      (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
    • RE: Iptables Clues and Advices.
      ... scanners, but from network scanners. ... REJECT response returned, the scanner will log your server as available, ... > my client's download of mail begins much sooner than it would ... >> Stop SPAM before it stops you. ...
      (Security-Basics)
    • RE: Iptables Clues and Advices.
      ... > POP3 email server. ... Many such boxes react to such connections by ... > my client's download of mail begins much sooner than it would ... >> Stop SPAM before it stops you. ...
      (Security-Basics)
    • Re: windows 2003 server
      ... password policy and _not_ how to break into the win2003 server, ... Cenzic Hailstorm finds vulnerabilities fast. ... Click the link to buy it, try it or download Hailstorm for FREE. ...
      (Pen-Test)
    • Re: Please do something about OE!!
      ... Still no download of (SPAM) messages and the halting of downloading messages ... Your server has unexpectedly terminated the connection. ... NAV. ...
      (microsoft.public.windows.inetexplorer.ie6_outlookexpress)