[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [suse-security] Re [suse-security] SuSEfirewall2 behaves strangely
> -----Original Message-----
> From: Marc Samendinger [mailto:marc.samendinger@xxxxxxxxxxxx]
> Sent: 09 January 2004 13:50
> > -----Original Message-----
> > From: Tom Knight [mailto:thomas.knight@xxxxxxxxxx]
> > Sent: Friday, January 09, 2004 1:52 PM
> > >
> > Trying to ftp to (say): 220.127.116.11 I get a "connection refused"
> > immediately.
> > Oh ho, a machine is there, what else can I try?
> In this case it doesn't matter if you DROP or REJECT the packet
> (except the connection timeout vs the connection refusal)
> If theres no response you know theres a firewall in place
> otherwise another (properly configured) host would have send a
> icmp host/network unreachable.
> Your machine is not invisible just because you DROP IP connections.
True, but if you're in control of a network, and everyone's equally
"hidden", then it makes it a little harder for an attacker to find a
real machine. After all, it's rare for all the IP addresses on your
class B to be used...
> > If the attacker tries port 1 against 18.104.22.168, port 2
> > against 22.214.171.124
> > etc, he'll find your machine and attack. This is one of the
> > port scans I've
> > seen in use against my old work.
> > If you drop everything (except for externally available
> > ports), then there's
> > a good chance the attacher won't try (say) port 21 against
> > 126.96.36.199, and
> > so won't see that that machine exists.
> What prevents the attacker from starting multiple scans at once?
Nothing at all.
Sometimes a scan is for all ports on one IP address, or for one port
on all IP addresses, sometimes it's the method I described. It seems
to depend on the tool the attacker's using.
> > Dropping packets is actually a line of defense, and you
> > really should use
> > it.
> again there are different opinions about this topic, everyone
> should decide on his own if DROP or REJECT is his choice.
I guess I'll read up some more on this. I'd always been told (and
it seemed reasonable to me) that dropping's a good idea. Thanks for
helping open my mind!
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here