I totally agree when you don't need to do connectivity troubleshooting on a frequent basis. But in our test plant environment RSTs come in handy when we troubleshoot remote connections going through several firewalls.
Nils Butturini, Russell wrote: > > +1 for the opinions expressed so far. Most commercial firewalls even > have a “stealth mode” type feature that turns this sort of > functionality on for you. > > ------------------------------------------------------------------------ > > *From:* [email protected] > [mailto:[email protected]] *On Behalf Of *Ben > Greenfield > *Sent:* Wednesday, October 07, 2009 2:53 PM > *To:* PaulDotCom Security Weekly Mailing List > *Subject:* Re: [Pauldotcom] Drop or rst? > > > > I agree with Brett and Ron, to an attacker / pen tester a silently > dropped packet doesn't offer much. A reset packet is a lot more > indicative that some processing occurred. > > On Wed, Oct 7, 2009 at 2:52 PM, Brett Hoff <[email protected] > <mailto:[email protected]>> wrote: > > I also like to drop silently. > > > > I have built and monitor over 100 firewalls and almost always choose > this option. > > > > Brett Hoff > > RHCT, Linux +, Security+ > > Senior Security and Linux instructor > > Senior IT Security Engineer > > *GCFA* "Certified Forensics Analyst" > > Antler Computer Consulting > > Antler, Inc. > > We do IT World Class! > > > > 850-857-7707 > > itworldclass.com <http://itworldclass.com> > > > > > > ------------------------------------------------------------------------ > > *From:* [email protected] > <mailto:[email protected]> > [mailto:[email protected] > <mailto:[email protected]>] *On Behalf Of *Norman > Rach > *Sent:* Wednesday, October 07, 2009 11:39 AM > *To:* [email protected] > <mailto:[email protected]> > *Subject:* [Pauldotcom] Drop or rst? > > Hi Everyone, > > I'm currently in a discussion about our current ruleset for iptables. > Whether to be RFC compliant and issue a RST to those > scanning/connecting to undesired ports or to drop the packet > completely. By sending a rst back to the host aren't we letting the > srcIP know that the traffic successfully arrived to the host without > being intercepted by a network appliance (i.e. IDS/IPS, firewall, etc)? > > As far as I can tell this seems to be more of a discussion on one's > own security posture preference. Any feedback is appreciated. > > Cheers! > NR > > ------------------------------------------------------------------------ > > Hotmail: Powerful Free email with security by Microsoft. Get it now. > <http://clk.atdmt.com/GBL/go/171222986/direct/01/> > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 4487 (20091007) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 4488 (20091007) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] <mailto:[email protected]> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > > > ****************************************************************************** > This email contains confidential and proprietary information and is not to be > used or disclosed to anyone other than the named recipient of this email, > and is to be used only for the intended purpose of this communication. > ****************************************************************************** > ------------------------------------------------------------------------ > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
