On Fri, Sep 01, 2000 at 01:55:58PM +0800, Vincent Huang wrote:
> 1). in setting up packet filtering rule, user can define if he
> want to accept, deny or drop it. what is the difference between
> DENY and DROP , one sale from IBM asked me "did DROP packet mean
> firewall just don't log it ?"
Depends on the product, on Linux you have DENY and REJECT. The irst case
will just drop the packet, the second will also send a ICMP Reject Message
back to the host (making it easier for the attacker to see that a port is
filtered, but making failed connecions somewhat faster to recognize. So you
will must likely use reject for internal connection attempts to the outside
and use deny/drop for external connections (to avoid dos attacks based on
that and to lower the amount if info an atacker can gain).
Btw: this is not related to logging, rejected and denyed packates can be
logged or silently processed.
The ICMP message send back depends on the implementation, too. There is an
"administratively prohibited" ICMP subtype, but since not all hosts
understand that correctly some firewall implemnrtations also use "host
unreachable" or something like that.
> 2). user need telnet ,ftp , http transparent authentication in user
> and session mode. firewall-1 can do it. but do I have other choice?
> can sidewinder or raptor or gauntlet meet this ?
all of them afaik
> 3). can firewall auto detect "mail relay " behavior?
> I think firewall-1 can not meet this...
it is something every mail transport agent including the secure SMTP servers
on most firewalls easyly can do (as long as you dont need support for mobile
users in which case u might need POP-before-SMTP or SSL client certificates
for SMTP).
Greetings
Bernd
--
(OO) -- [EMAIL PROTECTED] --
( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE
(O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
