On Sat, 30 Oct 2004 19:12, martin f krafft <[EMAIL PROTECTED]> wrote: > also sprach Russell Coker <[EMAIL PROTECTED]> [2004.10.30.1106 +0200]: > > If you block with tcp-reset then not only will the person > > connecting get a fast response, but someone who port scans you > > won't know which ports don't have anything listening on them and > > which ports are blocked by iptables. > > While it can be considered "kind" to let people know which ports are > inaccessible, I always treat access to ports that I did not open for > the public as an offence. Thus, I do not feel obliged to let the > offender know that s/he is accessing an inaccessible port.
Which is why you want a TCP RST packet so that they don't know the port is being blocked by a firewall, just that the port is not available. > As an added benefit, DROP obscures who is dropping. It could be the > host or a firewall before it. Now that I think of it, however, > a firewall would spoof the sending IP when rejecting with tcp-reset, > right? Yes. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
