-----Original Message----- From: Barry Gill [mailto:b@rry.co.za] Sent: 09 January 2004 11:45 To: suse-security@suse.com Subject: RE: Re: [suse-security] SuSEfirewall2 behaves strangely
Does anybody know how I can tell the SuSEfirewall2... ... to stealth *all* ports to the internet, including port 113.
Try FW_REJECT= yes
rejecting packest rather than dropping packets tells the querying system that that service does not exist. so unless the rules allow for a connection, packets will be rejected.
causes a bit of extra bandwidth, but at least it gives no info about your system....
Surely what you want to do is not tell someone the sevice doesn't exist, but rather not tell them anything? If you drop the packet they don't even know that the port exists, not that the port exists and is configured not to let them access it. Trying to ftp to (say): 196.30.15.82 I get a "connection refused" immediately. Oh ho, a machine is there, what else can I try? If the attacker tries port 1 against 196.30.15.1, port 2 against 196.30.15.2 etc, he'll find your machine and attack. This is one of the port scans I've seen in use against my old work. If you drop everything (except for externally available ports), then there's a good chance the attacher won't try (say) port 21 against 196.30.15.82, and so won't see that that machine exists. Also read the comments of /etc/syconfig/SuSEfirewall2 for that section, in the area labelled "EXPERT OPTIONS - all others please don't change these!": # # 26.) # Do you want to REJECT packets instead of DROPing? # # DROPing (which is the default) will make portscans and attacks much # slower, as no replies to the packets will be sent. REJECTing means, that # for every illegal packet, a connection reject packet is sent to the # sender. # # Choice: "yes" or "no", if not set defaults to "no" # FW_REJECT="no" Dropping packets is actually a line of defense, and you really should use it. Tom.