Re: nft newbie

To: debian-user@lists.debian.org
Subject: Re: nft newbie
From: Henning Follmann <hfollmann@itcfollmann.com>
Date: Tue, 12 Jul 2022 12:40:00 -0400
Message-id: <Ys2j4MDoJSg/5LLS@Oppenheimer>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] Ys2eTMBfiXXqi2PF@tuxteam.de>
References: <[🔎] 3d2d2857-875c-4636-b102-a94f4c1a4121@www.fastmail.com> <[🔎] 83c9d108-51c8-4e17-a565-61ad041b9651@www.fastmail.com> <[🔎] alpine.DEB.2.20.2207091100050.16633@maria.rogerprice.org> <[🔎] bec39705-8557-4b35-9ee2-08da5d22fef1@www.fastmail.com> <[🔎] a43601d6-03af-4298-ac3e-2664fbf2051a@www.fastmail.com> <[🔎] CAF358wRErEpOFNU5V6qim3RT8RNCG-aSgXOm287Yp9Qjb+4Leg@mail.gmail.com> <[🔎] 10854bda-f43c-4bf5-87cf-2a7f52fc1361@www.fastmail.com> <[🔎] 98ddf136dfe873a6f8851678469ef21d@gmail.com> <[🔎] Ys2S7UAB3j68hJnJ@Oppenheimer> <[🔎] Ys2eTMBfiXXqi2PF@tuxteam.de>

On Tue, Jul 12, 2022 at 06:16:12PM +0200, tomas@tuxteam.de wrote:
> On Tue, Jul 12, 2022 at 11:27:41AM -0400, Henning Follmann wrote:
> > On Tue, Jul 12, 2022 at 11:31:11AM +0100, mick crane wrote:
> > > On 2022-07-12 10:33, Gareth Evans wrote:
> > > > On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies
> > > 
> > > > > In most cases it's a best practice to configure all chains with
> > > > > _policy drop_ and then add rules for the traffic that you want to
> > > > > allow
> > > > 
> > > > All the nftables and PF howtos I have found take this approach.
> > > > 
> > > > Why is it best practice?  Is there any security advantage over
> > > > rejection?
> > > > 
> > > I think it is just that 'reject' tells the remote system there is something
> > > listening.
> > > mick
> > > 
> > 
> > 
> > Oh quite contraire!
> > It literally tells you that there is nothing. And that is the problem.
> > This way your system can be part of an attack onto someone else.
> > Because your system creates a message which then is sent to the
> > address in the src address. And that can be a forged address.
> > This way you reflect messages to someone else.
> 
> I was thinking of amplification too. But now you owe us at least
> a hint on how you can use a RST to do amplification.
> 

I think amplification actually needs a service running. This wont
work with just a firewall blocking any traffic.

> So far the factor is 1, which doesn't win you much, does it?

It changes the address where it's coming from. You can hide and
bypass any measures to thwart an attack.


> 
> > In a nice world, where everybody plays by the rules reject would be the
> > proper thing. Here in reality drop is the better choice.
> 
> C'mon, show us the code ;-)

Well, it is very simple. If you drop a package, anyone stares into a black
hole. If you have a misconfigured program you basically get nothing.
If any server would respond you would at least get an error back that
something is not working right. Also if we are talking tcp the program just
assumes the package is lost and will resend it. That is just undesirable.
And it increases actually the load on the misconfigured target.

-H



-- 
Henning Follmann           | hfollmann@itcfollmann.com

Reply to:

References:
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>
- Re: nft newbie
  - From: Roger Price <debian@rogerprice.org>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>
- Re: nft newbie
  - From: Maximiliano Estudies <maxiestudies@gmail.com>
- Re: nft newbie
  - From: "Gareth Evans" <donotspam@fastmail.fm>
- Re: nft newbie
  - From: mick crane <mick.crane@gmail.com>
- Re: nft newbie
  - From: Henning Follmann <hfollmann@itcfollmann.com>
- Re: nft newbie
  - From: <tomas@tuxteam.de>

Prev by Date: Re: nft newbie
Next by Date: Re: German Translation error of apt package description for xwit
Previous by thread: Re: nft newbie
Next by thread: Re: nft newbie
Index(es):
- Date
- Thread