Re: Packet filtering help
Dne po 9. duben 2001 21:40 Jim Breton napsal(a):
> On Mon, Apr 09, 2001 at 03:20:00PM -0400, Noah L. Meyerhans wrote:
> > Ask yourself this: *Why* should ICMP be filtered? What are you gaining?
> > Do you sleep better at night knowing that your machine won't respond to
> > pings? It really doesn't make you any safer.
> What are you gaining by responding to them?
RFC compliancy isn't enough? IMHO should be.
> A decent policy is to drop everything you don't need to respond to.
breaking everything you do not need to work isn't decent. someone else might
> You do gain some "security through obscurity." Depending on how much
"security through obscurity." = "false feeling of security" :-)
> you value this contributes to your subsequent choice.
> For instance, many script kiddies will not scan your entire box if you
> are undetected by a ping sweep. Granted, if you have other
> vulnerabilities that you are hiding then you have bigger problems. But
> it can buy you some time at least.
Script kiddie scanning your entire box won't hurt you much.
Vaclav Hula email@example.com
Capitol Internet Publisher, Korunovacni 6, 170 00 Prague 7, Czech Republic
tel.: ++420 2 3337 1113, fax: ++420 2 3337 1112