Hi. I want my (firewalled)-gw responds to an ident (113 port) request with a RST packet, thus simulating the service is closed. I'm using Ipchains with kernel 2.2.17. Is there any way of doing that? Notes: - DENY simply blocks ident service. Nmap will detect the port as "blocked" (after timeout), since no packet is returned in response to SYN attempt. - REJECT works similarly to Deny, except that it will send an ICMP error message. But no tcp packet is sent in response to SYN query. The port will be detected as "blocked". The behaviour I want is NOT one of the above. What I want is a RST to be sent, so services using ident (like ftp or sendmail) doesn't have to wait for tcp request timeout. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I want my (firewalled)-gw responds to an ident (113 port) request with a RST packet, thus simulating the service is closed. I'm using Ipchains with kernel 2.2.17. Is there any way of doing that? I think if you leave the port open and don't run identd you will have the desired behaviour ...
bye! Markus -- _____________________________ Markus Gaugusch ICQ 11374583 markus@gaugusch.dhs.org 78
On Tue, 14 Nov 2000 12:36:32 +0100 (CET), you wrote:
I want my (firewalled)-gw responds to an ident (113 port) request with a RST packet, thus simulating the service is closed. I'm using Ipchains with kernel 2.2.17. Is there any way of doing that? I think if you leave the port open and don't run identd you will have the desired behaviour ...
Right. But I cannot do that, identd is running and I don't want to close it. The idea is that some hosts/networks can see the service (opened) and some others not (through packet filtering). BTW, a total different matter. How is produced the Syslog (514/udp) handshaking in a centralized environment? I set up a machine with syslog in listening mode (-r) and configured the other machines to forward logs the the former machine. I though only the first (listening) machine would open the service port (514/udp), but I got surprised when I saw the other machines also had the same port open!!! (these last ones run syslog in normal mode, not listening). I've observed these machines open and begin listening their syslog port inmediately when I add the following line in /etc/syslog.conf and re-start syslog: *.* @logger-machine Why does it happen? I thought logs were sent to the logger machine in an unidirectional fashion so only 514 port *in logger machine* was opened.... PS: Automatic "away" responses should NOT be allowed in mailing-lists (use filters like procmail, dudez). They're annoying. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hi On Tue, Nov 14, 2000 at 12:33:06PM +0100, RoMaN SoFt / LLFB!! wrote:
I want my (firewalled)-gw responds to an ident (113 port) request with a RST packet, thus simulating the service is closed. I'm using Ipchains with kernel 2.2.17. Is there any way of doing that? README for Return-RST, a Linux 2.2 firewall helper tool -------------------------------------------------------
Written by Nic Bellamy
Does the newer iptables packet filter offer a RST return function?
Charlie
----- Original Message -----
From: Alexander Reelsen
Hi
On Tue, Nov 14, 2000 at 12:33:06PM +0100, RoMaN SoFt / LLFB!! wrote:
I want my (firewalled)-gw responds to an ident (113 port) request with a RST packet, thus simulating the service is closed. I'm using Ipchains with kernel 2.2.17. Is there any way of doing that? README for Return-RST, a Linux 2.2 firewall helper tool -------------------------------------------------------
Written by Nic Bellamy
of Bellamy Consulting Limited - http://www.bellamy.co.nz/ Return-RST was written to overcome the lack of an ipchains policy that can return a RESET packet when denying a TCP connection. The DENY policy just drops the packet, and the REJECT policy sends back an ICMP message. Either policy will tip an attacker off to the fact they're being filtered.
I guess that is what you're searching for. In addition it is using the netlink socket and the ability of passing packets over to the userspace, so it cannot handle and endless high amount of connections. However, it should be sufficient without problems for identd only.
MfG/Regards, Alexander
P.S. Apologises if I sent ealier mails with wrong sender, or if it bounced. My mailsystem was misconfigured and I can't blame it on anyone else. If you've sent me a mail in the last 14 days, please resend it.
-- Alexander Reelsen http://joker.rhwd.de ref@linux.com GnuPG: pub 1024D/F0D7313C sub 2048g/6AA2EDDB ar@rhwd.net 7D44 F4E3 1993 FDDF 552E 7C88 EE9C CBD1 F0D7 313C Securing Debian: http://joker.rhwd.de/doc/Securing-Debian-HOWTO
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Thu, 16 Nov 2000 22:37:06 -0000, you wrote:
Does the newer iptables packet filter offer a RST return function?
I haven't checked it for myself, but I was told the answer is yes :-) The problem is that 2.4 kernels are not very stable but experimental/beta. I'd not use it on production systems... =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hi On Thu, Nov 16, 2000 at 10:37:06PM -0000, Charles Price wrote:
Does the newer iptables packet filter offer a RST return function? Just check the manpage. Here's an excerpt of the iptables manpage:
--reject-with type and generates a ping reply. Finally, the option tcp-reset can be used on rules in (or called from) the INPUT chain which only match the TCP protocol: this causes a TCP RST packet to be sent back. However there's another reject patch in the source. I don't know what exactly they do, better you check it out. MfG/Regards, Alexander -- Alexander Reelsen http://joker.rhwd.de ref@linux.com GnuPG: pub 1024D/F0D7313C sub 2048g/6AA2EDDB ar@rhwd.net 7D44 F4E3 1993 FDDF 552E 7C88 EE9C CBD1 F0D7 313C Securing Debian: http://joker.rhwd.de/doc/Securing-Debian-HOWTO
participants (4)
-
Alexander Reelsen
-
Charles Price
-
Markus Gaugusch
-
RoMaN SoFt / LLFB!!