Re: iptables firewall

To: debian-user@lists.debian.org
Subject: Re: iptables firewall
From: Sven Hartge <sven@svenhartge.de>
Date: Wed, 30 Jul 2014 17:38:12 +0200
Message-id: <[🔎] aasdo1h96qv8@mids.svenhartge.de>
References: <[🔎] 53D829A4.5020002@plouf.fr.eu.org> <[🔎] 20140730151532.GD14982@playground>

Mike McClain <mike.junk@nethere.com> wrote:
> On Wed, Jul 30, 2014 at 01:09:24AM +0200, Pascal Hambourg wrote:

> <snip>
>> You can safely ignore that "stealth" FUD.

> block:REJECT::Stealth:DROP
> Why do you say it can be ignored?

If I try to connect to a system on (for example) IP 192.168.40.60 and
port 80 and there is no system with that IP, the router for the network
will tell me via an "ICMP host unreachable" package.

When my request just "vanishes" and I get no response back, I will
suspect that there is indeed a device at that IP which tries to be in
"stealth" mode.

The only way to be really stealthy and hide ones network existance is to
configure the router _before_ your device to reject the packages with
the correct ICMP. 

Doing on the device you want to stealth is futile.

And it will increase the traffic you receive, because normal TCP stacks
will assume a lost package and retry sending it multiple times.

If your device justs RSTs the connection or sends an "ICMP admin
prohibited" then the sending device will know what to do and stop trying
to resend.

Summary: DROP does not do what you think it does.

Grüße,
Sven.

-- 
Sigmentation fault. Core dumped.

Reply to:

Follow-Ups:
- Re: iptables firewall
  - From: Sven Hartge <sven@svenhartge.de>

References:
- Re: iptables firewall
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: iptables firewall
  - From: Mike McClain <mike.junk@nethere.com>

Prev by Date: Re: iptables firewall
Next by Date: Re: iptables firewall
Previous by thread: Re: iptables firewall
Next by thread: Re: iptables firewall
Index(es):
- Date
- Thread