Re: Packet filtering help
On Tue, Apr 10, 2001 at 12:13:52PM +0200, Vaclav Hula wrote:
> RFC compliancy isn't enough? IMHO should be.
Someone else has already responded to this; but no, RFC compliance
doesn't necessarily tell us the best thing to do for every situation.
Take syn cookies for example.
> > A decent policy is to drop everything you don't need to respond to.
>
> breaking everything you do not need to work isn't decent. someone else might
> need.
What are you talking about?
If you need this for someone else to be able to contact you then this
falls into the "you need this" category. Simple.
> > You do gain some "security through obscurity." Depending on how much
>
> "security through obscurity." = "false feeling of security" :-)
No, because there's nothing falsified about this. If you know what you
are doing then you know exactly what you are _not_ gaining as well as
what you are gaining. I already explained this.
> > For instance, many script kiddies will not scan your entire box if you
> > are undetected by a ping sweep. Granted, if you have other
> > vulnerabilities that you are hiding then you have bigger problems. But
> > it can buy you some time at least.
>
> Script kiddie scanning your entire box won't hurt you much.
Where did I say it would? This has nothing to do with the scan; it has
something to do with the kiddie's next move (if any) _after_ detecting your
box.
Reply to: