The purpose of the stealth rule is so that when they ping the IP of the firewall it will not respond. If you have other servers, then they should be on different IPs and should be redirected through the firewall. The purpose of this is so that if you have your firewall setup, then they can't hack the firewall itself. If you have a webserver for instance, then they can still hack the webserver. This is the reason for hardening and for the vigilance to patch the OS that runs the webserver. A firewall is not a cureall, it does a specific job, to control traffic. If you want better protection on any server that has a window to the outside world through your firewall, you might want to think about an IDS
Wesley Song Systems/Network Adinistrator Atlas Support Centers 303.692.0451 x270 720.205.6079 -----Original Message----- From: ___cliff rayman___ [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 09, 2002 6:33 PM To: Bourque Daniel; [EMAIL PROTECTED] Subject: Re: NAT, Internet access and security Bourque Daniel wrote: > Normally, you want your FW to be as invisible as possible (black hole) so > you just drop all incoming packet that are not specifically allowed in by a > rule. What you can't see can only be attack by guessing. Rejecting give > back information to the bad guy... hmmm.... i think it is a black hole only if it does not respond on any port. that is, every port is drop (deny). of couse, in that case, nothing gets through the network. if you drop packets on most ports, but allow some in on others, you are telling the "bad guys" that you are using a firewall and that you drop packets instead of reject them. if you reject packets, then you might just be a host that does not have that service running. in either case, i don't think it is going to make much of a difference to most "bad guys", since they will just try and hack you on the ports that are open in any case. > > > In the case of a smtp mail server, it's better to reject incoming IDENT > request otherwise, you will have timeout problem with the smtp delivery of > your mail going out to some servers.. this is true! > I had heard that it is better to have a 'reject' rule instead of a > 'deny' one, as reject will give back an immediate reply to the > interrogator, while just rejecting the query can give you a multitude of > 'retry', which can eat you bandwidth with lots and lots of retries. If > possible, can somebody point me where can I get correct information on > this (white papers, hints, tips, anything..) > > Nick wrote: > > > I was under the impression that the "stealth rule" was to have anything > > going directly to your Firewall dropped, therefore making your FW's > > addess a "black hole". It never answers anything, except what you > > specifically allow for management purposes. -- ___cliff [EMAIL PROTECTED]http://www.genwax.com/
