>From past experience, I believe the risk associated with using REJECT instead of Drop/Deny on the Gateway (Firewall or Router), especially to block ICMP, is that this may well give away the identity of the firewall and leaves it vulnerable to known exploits (published or unpublished).
Just a thought, so please correct me if I am wrong. Cheers! T.Lambo, CISSP In a message dated 18/11/01 20:38:36 GMT Standard Time, [EMAIL PROTECTED] writes: << Subj: RE: Differences between closed and filtered ports Date: 18/11/01 20:38:36 GMT Standard Time From: [EMAIL PROTECTED] (Golden_Eternity) To: [EMAIL PROTECTED] (Bandi), [EMAIL PROTECTED] > I recently thought about the following. If a port is closed the host > refuses the connection. What does the host exactly response? It sends a reset. > Is it necessary that the host responses on a closed port (couldn't that be > managed in some way with timeouts)? If the host is alive it sends back a reset so that you don't have to wait for the timeout, otherwise the application would be stalled waiting for the timeout. > Could you suggest a way to make ipchains act like a port was closed when > filtering it, so that a portscanner from certain machines wouldn't notice > the firewall? Use '-j REJECT' instead of '-j DROP'. For more info on this subject you can see my paper "Firewall rule exposure on ACK based filters" (http://www.bhodisoft.com/Sec/ba-2001-02.html) but your best bet is one of Fyodor's papers on how nmap (http://www.insecure.org/nmap/) works. -G_E ----------------------- Headers -------------------------------- Return-Path: <[EMAIL PROTECTED]> Received: from rly-yc05.mx.aol.com (rly-yc05.mail.aol.com [172.18.149.37]) by air-yc05.mail.aol.com (v82.22) with ESMTP id MAILINYC53-1118153836; Sun, 18 Nov 2001 15:38:36 -0500 Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com [66.38.151.27]) by rly-yc05.mx.aol.com (v82.22) with ESMTP id MAILRELAYINYC57-1118153824; Sun, 18 Nov 2001 15:38:24 -0500 Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by outgoing.securityfocus.com (Postfix) with QMQP id 81E96A3114; Sun, 18 Nov 2001 12:19:32 -0700 (MST) Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Precedence: bulk List-Id: <security-basics.list-id.securityfocus.com> List-Post: <mailto:[EMAIL PROTECTED]> List-Help: <mailto:[EMAIL PROTECTED]> List-Unsubscribe: <mailto:[EMAIL PROTECTED]> List-Subscribe: <mailto:[EMAIL PROTECTED]> Delivered-To: mailing list [EMAIL PROTECTED] Delivered-To: moderator for [EMAIL PROTECTED] Received: (qmail 11231 invoked from network); 15 Nov 2001 16:53:20 -0000 From: "Golden_Eternity" <[EMAIL PROTECTED]> To: "Bandi" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> Subject: RE: Differences between closed and filtered ports Date: Thu, 15 Nov 2001 08:53:06 -0800 Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-reply-to: <[EMAIL PROTECTED]> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal >>
