Re: iptables and port scan

From: Cedric Blancher (blancher@cartel-securite.fr)
Date: 02/13/02 

From: Cedric Blancher <blancher@cartel-securite.fr>
Date: Wed, 13 Feb 2002 11:18:11 +0000 (UTC)

Dans sa prose, Lutz Donnerhacke (lutz@iks-jena.de) nous ecrivait :
> Do you know, that RFC say: "If no MX record can be found, use A"?
> How determine the service offers for 1234? How to determine the DNS offers
> on TCP/53? Is AXFR abnormal?

Once again, I explain my policy. My domain has a MX. No need to look for
SMTP elsewhere. I do not offer 1234 service, no need to check. My DNS is
registred and AXFR is only useful between servers that need to exchange
my zones. Are you running a DNS server that answers for my domains ? If
not, you do not need my zones.

> I'm the ISP. Does this qualify me to behave abnormal?

So you connect ROOT servers, which are known.

>>The only reference for the services I offer to anonymous user is my website.
>>My website is called www. Was it so difficult to find ?
> Where is it specified, that all allowed services must published in a machine-
> unreadable language embedded in HTML received via HTTP connects to port 80
> on the machine suffixed by "www."?

That's my policy. Till beginning, I expose my policy to explain you that
in such a case, you do not have to scan my hosts to reach services I
offer you, to make you admit that there are situations when dropping is
no harmful, and keeping into such fanatic positions (as fanatic as those
who claims portscanners should be prosecuted) is, to my mind, useless.

> DENY will harm you, your customers, your friends, and companies you deal with.
> I.e. ident is a common backquery.

No, because my customers, friends, and companies I deal with do not try
to connect to closed ports. 

-- 
 je pense pas que ce soit toi....tu es bien trop vicieux pour agir de
 cette façon. Toi ton genre, c'est plus de contacter banque direct en
 esperant que je n'auras pas mes cadeaux de parrainages!!!!!
 -+- JD in <http://neuneu.mine.nu> : Petit neuneu Noël -+-

Relevant Pages

  • Re: Global catalog server died before completing replication to new GC server
    ... What about the DNS zones,are all machines listed there? ... Install DNS role and create a forward lookup zone for your complete ... Then make sure all servers are listed in the zones, ... cause Group Policy problems. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Bug in server 2003 DNS policy setting
    ... Clients also behave this way when using similar policy settings to control ... Bug in server 2003 DNS policy setting ... Administrative templates> Network> DNS client> DNS servers so that the ...
    (NT-Bugtraq)
  • Re: DNS addresses changing spontaneously without DHCP query
    ... "gpupdate" does not make a computer get the wrong DNS ... > There your will find policy - DNS Servers. ... Our campus DHCP server tells them this, ...
    (microsoft.public.windows.server.dns)
  • Re: primary domain controller
    ... How is DNS set in your environment? ... Where do servers point for DNS ... > on each of them I notice some get their policy from one domain controller ... >> The only exceptions are domain controllers holding 5 FSMO roles. ...
    (microsoft.public.windows.server.general)
  • Re: Help SMPT Errors
    ... FAIL Reverse DNS entries for MX records ERROR: The IP of one or more of your ... it may mean that your DNS servers did not respond fast enough). ... INFO NS records at parent servers Your NS records at the parent servers ... PASS Parent nameservers have your nameservers listed OK. ...
    (microsoft.public.exchange.admin)