Re: dropping vs rejecting for non exixtent services
On Sat, 30 Oct 2004 19:12, martin f krafft <madduck@debian.org> wrote:
> also sprach Russell Coker <russell@coker.com.au> [2004.10.30.1106 +0200]:
> > If you block with tcp-reset then not only will the person
> > connecting get a fast response, but someone who port scans you
> > won't know which ports don't have anything listening on them and
> > which ports are blocked by iptables.
>
> While it can be considered "kind" to let people know which ports are
> inaccessible, I always treat access to ports that I did not open for
> the public as an offence. Thus, I do not feel obliged to let the
> offender know that s/he is accessing an inaccessible port.
Which is why you want a TCP RST packet so that they don't know the port is
being blocked by a firewall, just that the port is not available.
> As an added benefit, DROP obscures who is dropping. It could be the
> host or a firewall before it. Now that I think of it, however,
> a firewall would spoof the sending IP when rejecting with tcp-reset,
> right?
Yes.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
Reply to: