Re: your mail
On Thu, Mar 16, 2000 at 05:58:00PM -0400, Peter Cordes wrote:
> This isn't specific to identd, but I'm wondering why you would bother
> filtering the port instead of just not running identd? (I assume you would
> have/do turn off identd in /etc/inetd.conf as well as using doing port
> filtering.) I've never really understood why people filter all kinds of
> ports on their own machine when the ports are closed anyway. The only
> advantage I can see is that if someone hits you with a trojan
> something-or-other, the the bad guys won't be able to talk to it if it picks
> a blocked port. Is this the reason for doing it, or am I missing something?
>
> Filtering ports makes sense when you are protecting a bunch of machines,
> especially ones which you don't run directly, but for a machine filtering
> traffic for only itself, it seems like a waste.
If the port's closed then admittedly there's not a lot of point, BUT if you
have 'DENY' by default then at least you're slowing someone's scanner down
quite a bit - you have to consider whether you want an ICMP 'dest unreachable'
going back or not, but that's your choice.
Alternatively, people might filter based on different incoming host, network
or interface[1]; if it's from a site I trust I might allow it for speed and/or
identity "checking" if required; if I'm not sure about them I might let them
through to tcp wrappers so an incoming request sparks a scan/finger straight
back whence it came; otherwise I might just DENY altogether.
[1] it gets really exciting when you start doing NAT/tunnelling of some
description as e.g. tap0 basically tunnels over ppp0, for example.
~Tim
--
| Geek Code: GCS dpu s-:+ a-- C++++ UBLUAVHSC++++ P+++ L++ E--- W+++(--) N++
| w--- O- M-- V-- PS PGP++ t--- X+(-) b D+ G e++(*) h++(*) r--- y-
| The sun is melting over the hills, | http://piglet.is.dreaming.org/
| All our roads are waiting / To be revealed | piglet@glutinous.custard.org
Reply to: