Re: IP Chains -- DENY or REJECT

From: Shaolin Tiger (shaolin@*no-*pgen*-spam*.net)
Date: 03/05/02


From: "Shaolin Tiger" <shaolin@*no-*pgen*-spam*.net>
Date: Mon, 4 Mar 2002 23:47:43 -0000


"Jonathan Angliss" <valcor@fluxnet.org> wrote in message
news:20020303.214851.1351797369.9638@pooky.pooky...
> Hi All,
>
> Been playing with my ipchains rules, and foudn out something interesting.
> When running an nmap UDP port scan, it shows certain ports open (as
> expected, I've not blocked them yet). I put in a rule to block that
> port... ie:
>
> /sbin/ipchains -A input -p udp --dport 137 -j DENY
>
> Apply the new firewall, then rerun the scan... it *still* shows the port
> to be open... I change DENY to REJECT... and re-run the scan, and it
> reports that either the port is filtered, or not open (depending on the
> nmap scan I run). Which useage is correct, DENY or REJECT? I've seen
> people mentioning the use of DENY, but just the simple test I did shows
> DENY seems to be ineffective.
>
> I'm changing to iptables soon, when I get 5 mins to recompile the kernel
> as it doesn't seem to want to allow me to use iptables ;) Currently
> using a pretty standard RH7.1 installation. Any ideas on the above would
> be appreciated ;)
>
> -- Jon

Basically DENY sends a reply saying that access is denied to that port if it
is, REJECT totally ignores incoming packets so a scan wont know if it's open
or not.

REJECT is better generally IMHO as it denies all existent of the port to
the outside rule.

The only thing you cant reject is incoming pings as RFC states every machine
on the Internet must reply to a Ping.

Regards

Shaolin



Relevant Pages

  • Re: ssh library attack
    ... Perhaps I could just change to some obsecure port number? ... > There are a couple of SSH brute-force attack scripts in circulation. ... DENY: xxx.xxx.xxx.xxx: All ...
    (comp.os.linux.networking)
  • Re: 501 PIX "deny any any" "allow any any" Any Anybody?
    ... entering either. ... to deny outbound traffic from using a particular port you can do the ... using port 27374 to send data to any destination. ... the access-group is called deny_outbound. ...
    (comp.dcom.sys.cisco)
  • Re: 501 PIX "deny any any" "allow any any" Any Anybody?
    ... entering either. ... to deny outbound traffic from using a particular port you can do the ... using port 27374 to send data to any destination. ... the access-group is called deny_outbound. ...
    (comp.dcom.sys.cisco)
  • Transparent Proxy using Squid and PF
    ... I need a little help on setting up transparent proxy with Squid and PF in FreeBSD 5.4-RELEASE. ... rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128 ... acl QUERY urlpath_regex cgi-bin \? ... no_cache deny QUERY ...
    (freebsd-questions)
  • Re: portsentry false positiv?
    ... Ignoring ... got _something_ misconfigured - most probably portsentry. ... ALL: 127.0.1.1: DENY ... (possible trojan port) ...
    (comp.os.linux.networking)