Re: Iptables Clues and Advices.
From: Bryan S. Sampsel (bsampsel@libertyactivist.org)
Date: 04/09/03
- Previous message: Stephen Entwisle: "SecurityFocus Article Announcement"
- In reply to: Jason Dixon: "RE: Iptables Clues and Advices."
- Next in thread: Christian Friedl: "Re: RE: Iptables Clues and Advices."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 09 Apr 2003 09:07:19 -0600 From: "Bryan S. Sampsel" <bsampsel@libertyactivist.org> To: Jason Dixon <jasondixon@myrealbox.com>
The flip side is that the person performing scans ties up more of HIS
resources, slowing down his progress.
Sorry, I'll stick to DROP.
bryan
Jason Dixon wrote:
> For all the folks who illusion that DROP is more secure than REJECT, I
> submit the following:
>
> http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject
>
> -J.
>
> On Mon, 2003-04-07 at 20:03, David Gillett wrote:
>
>> There is ONE specific case in which I REJECT rather than
>>DROP filtered packets:
>>
>> Sometimes users behind my firewall need to contact an outside
>>POP3 email server. Many such boxes react to such connections by
>>attempting a connection back to the source on port 113 (identd).
>> If I DROP connections to this port, the remote POP3 server
>>will wait for its request to timeout -- and then try again and
>>timeout again, two more times. By REJECTing the connection, I
>>let the server try and fail and try and fail immediately, and so
>>my client's download of mail begins much sooner than it would
>>if I just DROPped those packets.
>>
>>David Gillett
>>
>>
>>
>>>-----Original Message-----
>>>From: Allan Schon [mailto:allanschon@mckinleymachinery.com]
>>>Sent: April 7, 2003 08:53
>>>To: security-basics@securityfocus.com
>>>Subject: RE: Iptables Clues and Advices.
>>>
>>>
>>>
>>>>it will also result into a mess, because the server will be a
>>>>hole in space (regarding the blocked ports). And what are
>>>
>>>the benefits
>>>
>>>>(if there are any) of this practice?
>>>
>>>Well, the primary benefit is that attackers scanning for
>>>specific open ports in your ip range will never find your
>>>machine, if you're dropping connection attempts to the target
>>>port. That's a considerable advantage, I think. They can't
>>>attack you if they don't know you're there.
>>>
>>>Are there any specific disadvantages to DROPing?
>>>
>>>-----Original Message-----
>>>From: Andreas Happe [mailto:andreashappe@gmx.net]
>>>Sent: Saturday, April 05, 2003 5:29 PM
>>>To: security-basics@securityfocus.com
>>>Subject: Re: Iptables Clues and Advices.
>>>
>>>
>>>In article <1049484753.24055.41.camel@unsigned.local.fr>,
>>>Pierre BETOUIN wrote:
>>>
>>>>DROP would be better there because you don't need to
>>>
>>>prevent attackers
>>>
>>>>that this port is filtered.
>>>
>>>it will also result into a mess, because the server will be a
>>>hole in space (regarding the blocked ports). And what are the benefits
>>>(if there are any) of this practice?
>>>
>>>andreas
>>>--
>>>I tell them to turn to the study of mathematics, for it is only there
>>>that they might escape the lusts of the flesh.
>>> -- Thomas Mann, "The Magic Mountain"
>>>
>>>
>>>-------------------------------------------------------------------
>>>SurfControl E-mail Filter puts the brakes on spam,
>>>viruses and malicious code. Safeguard your business
>>>critical communications. Download a free 30-day trial:
>>>http://www.securityfocus.com/SurfControl-security-basics
>>>
>>>
>>><b>
>>>-------------------------------------------------------------------
>>>Is SPAM over-loading your e-mail server, disk space or bandwidth?
>>>SurfControl E-Mail Filter is flexible, intelligent and policy-driven
>>>protection.
>>>http://www.securityfocus.com/SurfControl-security-basics2
>>>Download your free fully functional trial, complete with
>>>30-days of free technical support.
>>>Stop SPAM before it stops you.
>>>-------------------------------------------------------------------
>>></b>
>>>
>>----
>>
>
>
>><b>
>>-------------------------------------------------------------------
>>Is SPAM over-loading your e-mail server, disk space or bandwidth?
>>SurfControl E-Mail Filter is flexible, intelligent and policy-driven
>>protection.
>>http://www.securityfocus.com/SurfControl-security-basics2
>>Download your free fully functional trial, complete with 30-days of free technical support.
>>Stop SPAM before it stops you.
>>-------------------------------------------------------------------
>></b>
>
>
>
>
> -------------------------------------------------------------------
> Is SPAM over-loading your e-mail server, disk space or bandwidth?
> SurfControl E-Mail Filter is flexible, intelligent and policy-driven
> protection.
> http://www.securityfocus.com/SurfControl-security-basics2
> Download your free fully functional trial, complete with 30-days of free technical support.
> Stop SPAM before it stops you.
> -------------------------------------------------------------------
-------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection.
http://www.securityfocus.com/SurfControl-security-basics2
Download your free fully functional trial, complete with 30-days of free technical support.
Stop SPAM before it stops you.
-------------------------------------------------------------------
- Previous message: Stephen Entwisle: "SecurityFocus Article Announcement"
- In reply to: Jason Dixon: "RE: Iptables Clues and Advices."
- Next in thread: Christian Friedl: "Re: RE: Iptables Clues and Advices."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
