[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [suse-security] Re [suse-security] SuSEfirewall2 behaves strangely




> -----Original Message-----
> From: Marc Samendinger [mailto:marc.samendinger@xxxxxxxxxxxx]
> Sent: 09 January 2004 13:50
> 
> > -----Original Message-----
> > From: Tom Knight [mailto:thomas.knight@xxxxxxxxxx] 
> > Sent: Friday, January 09, 2004 1:52 PM
> > >
> > Trying to ftp to (say): 196.30.15.82 I get a "connection refused"
> > immediately.
> > Oh ho, a machine is there, what else can I try?
> 
> In this case it doesn't matter if you DROP or REJECT the packet
> (except the connection timeout vs the connection refusal)
> 
> If theres no response you know theres a firewall in place
> otherwise another (properly configured) host would have send a
> icmp host/network unreachable.
> Your machine is not invisible just because you DROP IP connections.

True, but if you're in control of a network, and everyone's equally 
"hidden", then it makes it a little harder for an attacker to find a 
real machine. After all, it's rare for all the IP addresses on your 
class B to be used...

> > If the attacker tries port 1 against 196.30.15.1, port 2 
> > against 196.30.15.2
> > etc, he'll find your machine and attack. This is one of the 
> > port scans I've
> > seen in use against my old work.
> > 
> > If you drop everything (except for externally available 
> > ports), then there's
> > a good chance the attacher won't try (say) port 21 against 
> > 196.30.15.82, and
> > so won't see that that machine exists.
> 
> What prevents the attacker from starting multiple scans at once?

Nothing at all.
Sometimes a scan is for all ports on one IP address, or for one port 
on all IP addresses, sometimes it's the method I described. It seems 
to depend on the tool the attacker's using.

> > 
> > Dropping packets is actually a line of defense, and you 
> > really should use
> > it.

> again there are different opinions about this topic, everyone
> should decide on his own if DROP or REJECT is his choice.

I guess I'll read up some more on this. I'd always been told (and 
it seemed reasonable to me) that dropping's a good idea. Thanks for 
helping open my mind!

Tom.

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here