[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall - DROP or DENY


On Mon, Apr 15, 2002 at 06:21:11PM +0200, Jan-Hendrik Palic wrote:
> On Mon, Apr 15, 2002 at 06:05:52PM +0200, Arne P. Boettger wrote:
> >Yes, but you might trick legal clients into thinking that your
> >server is completely unreachable, thus make it impossible for them
> >to connect to you at all.
> This will only work, if you have an passive server, like a masq-router.
> If you have a webserver/mailserver ... then you can see, that there is a
> server by using nmap.
> You are not invisible then.

I didn't mean this as a good point, rather as an example of breaking
something. Imagine a legal client accessing an illegal port (by
accident, e.g. by a typo 8008 instead of 8080), and getting an icmp
host unreachable message. The user realizes the mistake, corrects
it, but boom, the client machine says "no, that host is unreachable,
I just learned that!" Voila, you've DoSed yourself.

Ciao, Arne.
GPG 1024D/913C2F81 2000-10-11 Arne P. Boettger <apb@createx.de>   /\\
Fingerprint = 6ED9 9A64 CD8A EB6F D841  0391 2F08 8F86 913C 2F81 _\_V

To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: