Re: is iptables enough?
* Adrian Phillips <adrianp@powertech.no> [030321 09:21]:
> Um, would you be so kind as to explain the "deluding yourself" part or
> point to some information that does so ? From what I have read on the
> net using google a good number of people use drop to help with port
> scanning (ie. port scanning will take a lot longer with drop then
> reject), and also help with DoS, whereas reject is deemed more polite.
A person using a scanner slowed down by drop-rules will in most
cases be no danger. (Why should a scanner wait for an answer before
probing the next port?)
To ease DoS it needs quite large ratio downstream/upstream as otherwise
DoSing your downstream works anyway. (And is more simple, as
packages can be larger).
With droping packages one normaly only shoot oneself foot. Configuration
errors or typing errors do not cause proper error messages but strange
behaviour. It's like renaming 'su' to 'querz': One might hit something
under the foot, but that's not worth the foot.
If I were a black hat, I would propably attack a computer droping
things first, as it just looks more amateur-like.
That all said a drop-rule can in some corner cases be useful, too.
Dropping everything sent not directly to the machine in a net with
some crazy broadcasters can reduce traffic a bit and only making
ping <broadcast-address> unuseable.
Hochachtungsvoll,
Bernhard R. Link
--
The man who trades freedom for security does not deserve
nor will he ever receive either. (Benjamin Franklin)
Reply to: