Re: is iptables enough?

To: debian-security@lists.debian.org
Subject: Re: is iptables enough?
From: Josh Carroll <jkc120@sbcglobal.net>
Date: Thu, 20 Mar 2003 23:27:57 -0800 (PST)
Message-id: <[🔎] 20030321072757.55402.qmail@web80310.mail.yahoo.com>
Reply-to: josh.carroll@psualum.com
In-reply-to: <[🔎] 20030320211046.GC88028@doorstop.net>

There are a couple of reasons why I use -j DROP
instead of -J REJECT. Firstly, sending responses to
packets your dropping can be bad, given a relatively
small upstream link. In theory, one could DoS you
sufficiently with an upstream equal or slightly better
than yours. That is not to say that the would-be
attacker couldn't just find a network that could
surpass your downstream as well, just pointing out
this drawback of -j REJECT.

Secondly, while DROP'ing the packet doesn't make you
invisible, it does have some degree of value when
deterring people. If an attacker gets no response from
machine 1, but a tcp reject from matchine 2, I'm
willing to bet they'd persue machine 2 first. Let's
face it, if they want to find out if you're there or
running something on a port, they probably can with a
bit more effort anyway, but it might just make them
pass you by for an easier target.

In general, I don't use -REJECT unless I'm worried
about being polite. And in most circumstances,
politeness isn't my goal ;)

Josh

--- Vineet Kumar
<debian-security@virtual.doorstop.net> wrote:
> * Adrian 'Dagurashibanipal' von Bidder
> <avbidder@fortytwo.ch> [20030320 06:39 PST]:
> > Set it up to block everything and then selectively
> open ports until
> > everything works as desired. Depending on the
> applications it may be a
> > good idea to REJECT auth (identd) packets instead
> of dropping them -
> > some applications have long timeouts.
> 
> IMO, it's a good idea to REJECT instead of DROPping
> most packets.  If
> you think DROPping makes you invisible, you're
> deluding yourself.  I
> generally end my INPUT chain with
> 
> -p tcp -j REJECT --reject-with tcp-reset
> -p udp -j REJECT --reject-with icmp-port-unreachable
> -j REJECT --reject-with icmp-proto-unreachable
> 
> Of course, different setups have different needs,
> but I think this is
> pretty good for most home configurations
> 
> good times,
> Vineet
> -- 
> http://www.doorstop.net/
> -- 
> http://www.digitalconsumer.org/
> 

> ATTACHMENT part 2 application/pgp-signature
name=signature.asc

Reply to:

Follow-Ups:
- Re: is iptables enough?
  - From: David B Harris <david@eelf.ddts.net>
- Re: is iptables enough?
  - From: Hanasaki JiJi <hanasaki@hanaden.com>

References:
- Re: is iptables enough?
  - From: Vineet Kumar <debian-security@virtual.doorstop.net>

Prev by Date: Re: looking for a good source to start learning about kerberos (thanx)
Next by Date: Re: howcome there's no DSA for the latest Linux ptrace hole?
Previous by thread: Re: is iptables enough?
Next by thread: Re: is iptables enough?
Index(es):
- Date
- Thread