Re: Firewall - DROP or DENY
On Mon, Apr 15, 2002 at 06:21:11PM +0200, Jan-Hendrik Palic wrote:
> On Mon, Apr 15, 2002 at 06:05:52PM +0200, Arne P. Boettger wrote:
> >Yes, but you might trick legal clients into thinking that your
> >server is completely unreachable, thus make it impossible for them
> >to connect to you at all.
> This will only work, if you have an passive server, like a masq-router.
> If you have a webserver/mailserver ... then you can see, that there is a
> server by using nmap.
> You are not invisible then.
I didn't mean this as a good point, rather as an example of breaking
something. Imagine a legal client accessing an illegal port (by
accident, e.g. by a typo 8008 instead of 8080), and getting an icmp
host unreachable message. The user realizes the mistake, corrects
it, but boom, the client machine says "no, that host is unreachable,
I just learned that!" Voila, you've DoSed yourself.
GPG 1024D/913C2F81 2000-10-11 Arne P. Boettger <email@example.com> /\\
Fingerprint = 6ED9 9A64 CD8A EB6F D841 0391 2F08 8F86 913C 2F81 _\_V
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com