[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dropping vs rejecting for non exixtent services



On Sat, 30 Oct 2004 19:12, martin f krafft <madduck@debian.org> wrote:
> also sprach Russell Coker <russell@coker.com.au> [2004.10.30.1106 +0200]:
> > If you block with tcp-reset then not only will the person
> > connecting get a fast response, but someone who port scans you
> > won't know which ports don't have anything listening on them and
> > which ports are blocked by iptables.
>
> While it can be considered "kind" to let people know which ports are
> inaccessible, I always treat access to ports that I did not open for
> the public as an offence. Thus, I do not feel obliged to let the
> offender know that s/he is accessing an inaccessible port.

Which is why you want a TCP RST packet so that they don't know the port is 
being blocked by a firewall, just that the port is not available.

> As an added benefit, DROP obscures who is dropping. It could be the
> host or a firewall before it.  Now that I think of it, however, 
> a firewall would spoof the sending IP when rejecting with tcp-reset,
> right?

Yes.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



Reply to: