On Sun, May 28, 2000 at 18:07 +0200, Steffen Dettmer wrote:
* Gerhard Sittig wrote on Sat, May 27, 2000 at 22:18 +0200:
BTW I'm aware of the fact that denied packets "reveal" there's some kind of filter in between, attracting the kids like locked doors to forbidden rooms ...
Why should this happen? I would assume, that kids would think they hit a machine that is currently down or unused IP/DNS Name.
Portscanning a machine with some ports open and some denied (i.e. without reaction) will tell you there's some blocker in between, usually a packet filter. Of course denial slows the scan (it's running to timeouts instead of getting quick responses). But rejecting will make you subject to fingerprinting. Although I'm not *that* sure of all these things, I simply got used to - pass the valid services - deny the others and - reject auth (tcp 113) only to not slow down SMTP delivery and others curious about these things (but still not relying upon them, so I don't break anything) Feel free to tell me I'm wrong, chances are quite overwhelming that I am. :) Luckily I'm just an average user and not a "real" admin. :>
I usually don't use packet deny but reject. Since all packets become rejected, and ICMPs become generated, I cannot imagine what could attract some kids or whoever. They see a firewall only, not more.
Here's what I got from reading the ipfilter HowTo which has a lot of general firewalling stuff, too. (I guess I have to dig up the URL, it could be recommended reading. Unless somebody else already has it handy and can deliver it faster than me.) Rejecting closed TCP ports and sending icmp-unreach for closed UDP ports and ICMP requests will make the machine look like it would without the filter. Denying will reveal that there's something blocking, making the kids think "something's wrapped, it's precious and interesting for me". But it turns out to be left to the admin's personal taste to choose between denial and rejection.
Any decent firewall (or even the TCP stack) should drop corrupted and malformed packets even before the header fields are looked at and used to base decisions upon.
Are you sure, that a fragmentated ICMP is corrupt always? Maybe there are some ways/nets with a very small MTU?
There I was writing quicker than I was with reading. :( Fragmented ICMP packets aren't (necessarily) corrupted. But I had in mind an Bugtraq article of the last days where a cracker misused artificially wrongly fragmented ICMP to fool TCP stacks. It seems to be necessary to always defragment everything on a firewall. Trying to cut corners often turns out to fail sooner or later. And by employing path MTU discovery fragmentation should even become uncommon and avoidable. Maybe one even should drop fragmented packets in general, as well as too short packets to be real and source routed packets where the workstation (or origin) thinks to be more clever than the routers about routing? virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.