Re: pf - drop or return - is stealth mode overrated?
* Kian Mohageri [EMAIL PROTECTED] [2007-05-02 21:52]: Henning Brauer wrote: * Chris Smith [EMAIL PROTECTED] [2007-04-25 00:42]: Using openbsd as a firewall in several cases - a few small businesses, and also for home use. Some websites, such as grc.com, stress that stealth mode (which openbsd handles with ease) is the safest. But I've also read that using 'return' instead of 'drop' is good netizenship. So I'm wondered how others are handling this and what recommendations you might have. stealth mode is totally overrated. For my clarification, are we talking about stealth mode as in dropping everything (including pings) from untrusted hosts, or the default block-policy (drop vs. return)? the latter, drop. the former is not overrated. it is incredibly stupid. Based on this discussion, I'm trying to decide if I want to change our firewall block-policy to 'return' even though we already allow ping and 'return' traffic to the firewalls themselves so things like traceroute can work. being a nice net citizen you return and RST/icmp when you block sth. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: pf - drop or return - is stealth mode overrated?
* Chris Smith [EMAIL PROTECTED] [2007-04-25 00:42]: Using openbsd as a firewall in several cases - a few small businesses, and also for home use. Some websites, such as grc.com, stress that stealth mode (which openbsd handles with ease) is the safest. But I've also read that using 'return' instead of 'drop' is good netizenship. So I'm wondered how others are handling this and what recommendations you might have. stealth mode is totally overrated. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: pf - drop or return - is stealth mode overrated?
Henning Brauer wrote: * Chris Smith [EMAIL PROTECTED] [2007-04-25 00:42]: Using openbsd as a firewall in several cases - a few small businesses, and also for home use. Some websites, such as grc.com, stress that stealth mode (which openbsd handles with ease) is the safest. But I've also read that using 'return' instead of 'drop' is good netizenship. So I'm wondered how others are handling this and what recommendations you might have. stealth mode is totally overrated. For my clarification, are we talking about stealth mode as in dropping everything (including pings) from untrusted hosts, or the default block-policy (drop vs. return)? Based on this discussion, I'm trying to decide if I want to change our firewall block-policy to 'return' even though we already allow ping and 'return' traffic to the firewalls themselves so things like traceroute can work.
Re: pf - drop or return - is stealth mode overrated?
* Chris Smith [EMAIL PROTECTED] [2007-04-25 00:42]: Using openbsd as a firewall in several cases - a few small businesses, and also for home use. Some websites, such as grc.com, stress that stealth mode (which openbsd handles with ease) is the safest. But I've also read that using 'return' instead of 'drop' is good netizenship. So I'm wondered how others are handling this and what recommendations you might have. stealth mode is totally overrated. For my clarification, are we talking about stealth mode as in dropping everything (including pings) from untrusted hosts, or the default block-policy (drop vs. return)? Based on this discussion, I'm trying to decide if I want to change our firewall block-policy to 'return' even though we already allow ping and 'return' traffic to the firewalls themselves so things like traceroute can work. If the security of your network rests solely on an attacker's inability to ping you, see reset packets, or any other such stealth nonsense, you are already screwed. Stealth mode will do absolutely nothing to prevent sophisticated attackers from making a mess of your network if there are other weaknesses. At best, stealth mode might lead to a few less port scans and the like by script kiddies. At worst, stealth mode will inconvenience legitimate users, lead to mistakes by the local network staff, or provide a false sense of security. -J
Re: pf - drop or return - is stealth mode overrated?
Kian Mohageri wrote: For my clarification, are we talking about stealth mode as in dropping everything (including pings) from untrusted hosts, or the default block-policy (drop vs. return)? The only time when `dropping everything' is useful is when you are under a ddos to prevent load on the machine. In any other case you are being a bad netziticen. A net scan is not worth paying attention to. And for the rest all you do is annoy decent hosts. # Han
Re: pf - drop or return - is stealth mode overrated?
On Tuesday 24 April 2007 18:36, Chris Smith wrote: Hello, Using openbsd as a firewall in several cases - a few small businesses, and also for home use. Some websites, such as grc.com, stress that stealth mode (which openbsd handles with ease) is the safest. But I've also read that using 'return' instead of 'drop' is good netizenship. So I'm wondered how others are handling this and what recommendations you might have. Thanks, Chris Stealth airplanes are pretty cool, so it gives that stealth mode must be cool too! :) Though in this nefarious Internet it's not likely to add too much since you probably still browse and use email which is far more likely to bring undesired code into your computer. Having said that, my LAN is not part of any valuable network where it is of any value to respond to others, and there are annoying attempts by various people to gain access, so I drop as a default. -- Steve Szmidt They that would give up essential liberty for temporary safety deserve neither liberty nor safety. Benjamin Franklin
Re: pf - drop or return - is stealth mode overrated?
On Mon, Apr 30, 2007 at 09:35:02AM +0930, Adam Hawes wrote: I find 'return' to be easier to work with. The LAN I am primarily thinking about is both infested with Windows and accessible via VPN - and the VPN has some Windows clients. Considering the people on said LAN, who are both sweet and smart but not in general computer-savvy, I'd be highly surprised if an attacker spent much time on the firewall. Windows... This stealth mode you talk of, wasn't it a term coined by the irrefutable GRC in his quest to rub snake oil all over everything so it runs faster? I only ever hear users of the EvilOS talking about stealthing their boxes. Not replying may save a little bit of upload bandwitdh which may count if you're heavily scanned and have an asymmetric link with little outgoing bandwidth... but that is about all. You seem to be confusing me with the OP, but yes. At least, the term 'stealth' is only used for and by Windows firewalls. Then again, it's at least somewhat useful against the simpler worms out there, so it might even make sense on a Windows box. (Not as much sense as actually setting it up in a sane way, of course - but that takes some effort and actual knowledge.) Your point about limited upload bandwidth is correct, but mostly irrelevant - if some skiddie wants to DDoS you, you *will* drop off the net unless you have a very fast connection, upstream cooperation and/or good hardware (and even then...). Joachim -- TFMotD: write (1) - send a message to another user
Re: pf - drop or return - is stealth mode overrated?
I find 'return' to be easier to work with. The LAN I am primarily thinking about is both infested with Windows and accessible via VPN - and the VPN has some Windows clients. Considering the people on said LAN, who are both sweet and smart but not in general computer-savvy, I'd be highly surprised if an attacker spent much time on the firewall. Windows... This stealth mode you talk of, wasn't it a term coined by the irrefutable GRC in his quest to rub snake oil all over everything so it runs faster? I only ever hear users of the EvilOS talking about stealthing their boxes. Not replying may save a little bit of upload bandwitdh which may count if you're heavily scanned and have an asymmetric link with little outgoing bandwidth... but that is about all.
Re: pf - drop or return - is stealth mode overrated?
On Tue, Apr 24, 2007 at 06:36:17PM -0400, Chris Smith wrote: Hello, Using openbsd as a firewall in several cases - a few small businesses, and also for home use. Some websites, such as grc.com, stress that stealth mode (which openbsd handles with ease) is the safest. But I've also read that using 'return' instead of 'drop' is good netizenship. So I'm wondered how others are handling this and what recommendations you might have. I find 'return' to be easier to work with. The LAN I am primarily thinking about is both infested with Windows and accessible via VPN - and the VPN has some Windows clients. Considering the people on said LAN, who are both sweet and smart but not in general computer-savvy, I'd be highly surprised if an attacker spent much time on the firewall. Joachim -- TFMotD: tftp (1) - trivial file transfer program
pf - drop or return - is stealth mode overrated?
Hello, Using openbsd as a firewall in several cases - a few small businesses, and also for home use. Some websites, such as grc.com, stress that stealth mode (which openbsd handles with ease) is the safest. But I've also read that using 'return' instead of 'drop' is good netizenship. So I'm wondered how others are handling this and what recommendations you might have. Thanks, Chris
Re: pf - drop or return - is stealth mode overrated?
On 4/24/07, Chris Smith [EMAIL PROTECTED] wrote: Hello, Using openbsd as a firewall in several cases - a few small businesses, and also for home use. Some websites, such as grc.com, stress that stealth mode (which openbsd handles with ease) is the safest. But I've also read that using 'return' instead of 'drop' is good netizenship. So I'm wondered how others are handling this and what recommendations you might have. Most people would maintain that drop vs. block+rst/icmp would be better, but I could see the arguments (that will no doubt come) that it really doesn't buy you any in the end and only attempts to obfuscate what can be mapped out anyhow (that a device somewhere in the network path is dropping traffic.) I use silent drops except where immediate reject response is required (e.g. ident, etc.) DS
Re: pf - drop or return - is stealth mode overrated?
On 4/24/07, Chris Smith [EMAIL PROTECTED] wrote: Hello, Using openbsd as a firewall in several cases - a few small businesses, and also for home use. Some websites, such as grc.com, stress that stealth mode (which openbsd handles with ease) is the safest. But I've also read that using 'return' instead of 'drop' is good netizenship. So I'm wondered how others are handling this and what recommendations you might have. I use drop in most cases. Stealth mode isn't exactly going to add much, but I see no reason a host should receive any response at all when it is trying to talk to a host that doesn't exist or a port that isn't actually listening. Much of that activity is simply host/port scanning. I could argue either way, but my preference is 'block drop' most of the time. -- Kian Mohageri
Re: pf - drop or return - is stealth mode overrated?
Kian Mohageri writes: I see no reason a host should receive any response at all when it is trying to talk to a host that doesn't exist or a port that isn't actually listening. Traceroute. // marc
Re: pf - drop or return - is stealth mode overrated?
On 4/24/07, Chris Smith [EMAIL PROTECTED] wrote: Hello, Using openbsd as a firewall in several cases - a few small businesses, and also for home use. Some websites, such as grc.com, stress that stealth mode (which openbsd handles with ease) is the safest. But I've also read that using 'return' instead of 'drop' is good netizenship. So I'm wondered how others are handling this and what recommendations you might have. Well, when it comes to staying safe, both return and drop both block unwanted traffic. Whether or not someone can determine if a host is up really won't do much for security. That being said, return is preferable. It reduces traffic (SYN retransmits,) and will improve responsiveness for other hosts. Now if someone is nmapping you with -sS for instance, block drop will reduce traffic in that specific case (no RST from you.) The amount is generally negligible though. I'd recommend using pf.os to block nmap in this case so you can have the best of both worlds. All in all, it does not really matter _that_ much. Don't stay awake at night thinking: did I write block drop or block return? AHH! I don't know! Hacks0arz are coming for me!! -- Travers Buda
Re: pf - drop or return - is stealth mode overrated?
Kian Mohageri wrote: I could argue either way, but my preference is 'block drop' most of the time. Hopefully most of the time does not include ICMP. --- Lars Hansson
Re: pf - drop or return - is stealth mode overrated?
* Lars Hansson [EMAIL PROTECTED] [2007-04-25 11:20:43]: Kian Mohageri wrote: I could argue either way, but my preference is 'block drop' most of the time. Hopefully most of the time does not include ICMP. Yeah, wouldn't want to violate RFC 1122. ICMP is a Good Thing. $ ping machine is a hell of a lot easier than crafting some TCP action to see whether a host is up or not. -- Travers Buda
Re: pf - drop or return - is stealth mode overrated?
On 4/24/07, Lars Hansson [EMAIL PROTECTED] wrote: Kian Mohageri wrote: I could argue either way, but my preference is 'block drop' most of the time. Hopefully most of the time does not include ICMP. It doesn't. -- Kian Mohageri