Re: Packet filtering help

[Jim Breton <jamesb-debian@alongtheway.com>]

On Tue, Apr 10, 2001 at 12:13:52PM +0200, Vaclav Hula wrote:
> RFC compliancy isn't enough? IMHO should be. 

Someone else has already responded to this; but no, RFC compliance
doesn't necessarily tell us the best thing to do for every situation.
Take syn cookies for example.


> > A decent policy is to drop everything you don't need to respond to.
> 
> breaking everything you do not need to work isn't decent. someone else might 
> need. 

What are you talking about?

If you need this for someone else to be able to contact you then this
falls into the "you need this" category.  Simple.


> > You do gain some "security through obscurity."  Depending on how much
> 
> "security through obscurity."  = "false feeling of security" :-)

No, because there's nothing falsified about this.  If you know what you
are doing then you know exactly what you are _not_ gaining as well as
what you are gaining.  I already explained this.


> > For instance, many script kiddies will not scan your entire box if you
> > are undetected by a ping sweep.  Granted, if you have other
> > vulnerabilities that you are hiding then you have bigger problems.  But
> > it can buy you some time at least.
> 
> Script kiddie scanning your entire box won't hurt you much.

Where did I say it would?  This has nothing to do with the scan; it has
something to do with the kiddie's next move (if any) _after_ detecting your
box.