[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packet filtering help

Dne po  9. duben 2001 21:40 Jim Breton napsal(a):
> On Mon, Apr 09, 2001 at 03:20:00PM -0400, Noah L. Meyerhans wrote:
> > Ask yourself this: *Why* should ICMP be filtered?  What are you gaining?
> > Do you sleep better at night knowing that your machine won't respond to
> > pings?  It really doesn't make you any safer.
> What are you gaining by responding to them?

RFC compliancy isn't enough? IMHO should be. 

> A decent policy is to drop everything you don't need to respond to.

breaking everything you do not need to work isn't decent. someone else might 

> You do gain some "security through obscurity."  Depending on how much

"security through obscurity."  = "false feeling of security" :-)

> you value this contributes to your subsequent choice.
> For instance, many script kiddies will not scan your entire box if you
> are undetected by a ping sweep.  Granted, if you have other
> vulnerabilities that you are hiding then you have bigger problems.  But
> it can buy you some time at least.

Script kiddie scanning your entire box won't hurt you much.


S pozdravem
Vaclav Hula	                                 vaclav.hula@capitol.cz
Capitol Internet Publisher, Korunovacni 6, 170 00 Prague 7, Czech Republic
tel.: ++420 2 3337 1113, fax:  ++420 2 3337 1112

Reply to: