[opensuse] Sending RST packages instead of discarding them
Hi, is there an easy way to get the firewall to send RST packages to connection attempts to closed ports instead of just discarding the requests? Christoph -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Christoph Bartoschek wrote:
Hi,
is there an easy way to get the firewall to send RST packages to connection attempts to closed ports instead of just discarding the requests?
Christoph
I think you want the Reject target: http://www.linuxtopia.org/Linux_Firewall_iptables/x4550.html Reject is not particularly stealthy. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Am Mittwoch, 22. April 2009 schrieb John Andersen:
Christoph Bartoschek wrote:
Hi,
is there an easy way to get the firewall to send RST packages to connection attempts to closed ports instead of just discarding the requests?
Christoph
I think you want the Reject target: http://www.linuxtopia.org/Linux_Firewall_iptables/x4550.html
Reject is not particularly stealthy.
Yes. But in my opinion dropping packages is very unfriendly. Given the amount of bad boy in the internet it might be acceptable. But I will always send back an RST for all networks I am responsible for. In this case I have an opensuse notebook that has just to dend RST by default instead of dropping packages. Christoph -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Yes. But in my opinion dropping packages is very unfriendly. Given the amount of bad boy in the internet it might be acceptable. But I will always send back an RST for all networks I am responsible for.
In this case I have an opensuse notebook that has just to dend RST by default instead of dropping packages.
Christoph
why a RST? Why not icmp-port-unreachable (connection refused)? /curious -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Am Mittwoch, 22. April 2009 schrieb Philip Dowie:
Yes. But in my opinion dropping packages is very unfriendly. Given the amount of bad boy in the internet it might be acceptable. But I will always send back an RST for all networks I am responsible for.
In this case I have an opensuse notebook that has just to dend RST by default instead of dropping packages.
Christoph
why a RST? Why not icmp-port-unreachable (connection refused)?
RST for TCP. For other protocols icmp-port-unreachable. This is the behavoiur of systems without firewalls if I remember correctly. Christoph -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
In <200904222024.25103.bartoschek@or.uni-bonn.de>, Christoph Bartoschek wrote:
is there an easy way to get the firewall to send RST packages to connection attempts to closed ports instead of just discarding the requests?
-j REJECT --reject-with tcp-reset I don't think it undermines my security, and most of this could be discovered with a simple nmap, so here's my setup that uses RST packets: # Generated by iptables-save v1.4.2 on Wed Apr 22 18:44:23 2009 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :accept-existing-connections - [0:0] :accept-from-lo - [0:0] :accept-known-services - [0:0] :accept-new-connections - [0:0] :accept-to-lo - [0:0] :filter-new-connections - [0:0] :packet-rejected - [0:0] -A INPUT -j accept-existing-connections -A INPUT -j accept-from-lo -A INPUT -j filter-new-connections -A INPUT -j packet-rejected -A OUTPUT -j accept-existing-connections -A OUTPUT -j accept-to-lo -A OUTPUT -j accept-new-connections -A OUTPUT -j packet-rejected -A accept-existing-connections -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A accept-from-lo -i lo -j ACCEPT -A accept-known-services -p tcp -m tcp --dport 22 -j ACCEPT -A accept-known-services -p tcp -m tcp --dport 25 -j ACCEPT -A accept-known-services -p icmp -m icmp --icmp-type 8 -j ACCEPT -A accept-known-services -p tcp -m tcp --dport 587 -j ACCEPT -A accept-known-services -p tcp -m tcp --dport 993 -j ACCEPT -A accept-known-services -p tcp -m tcp --dport 465 -j ACCEPT -A accept-known-services -p tcp -m tcp --dport 143 -j ACCEPT -A accept-known-services -p tcp -m tcp --dport 2000 -j ACCEPT -A accept-known-services -p tcp -m tcp --dport 4691 -j ACCEPT -A accept-known-services -p tcp -m tcp --dport 9418 -j ACCEPT -A accept-new-connections -m conntrack --ctstate NEW -j ACCEPT -A accept-to-lo -o lo -j ACCEPT -A filter-new-connections -m conntrack --ctstate NEW -j accept-known- services -A packet-rejected -p tcp -j REJECT --reject-with tcp-reset -A packet-rejected -p udp -j REJECT --reject-with icmp-port-unreachable -A packet-rejected -j REJECT --reject-with icmp-admin-prohibited -A packet-rejected -j DROP COMMIT # Completed on Wed Apr 22 18:44:23 2009 -- Boyd Stephen Smith Jr. ,= ,-_-. =. bss@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
Am Mittwoch, 22. April 2009 schrieb Boyd Stephen Smith Jr.:
In <200904222024.25103.bartoschek@or.uni-bonn.de>, Christoph Bartoschek
wrote:
is there an easy way to get the firewall to send RST packages to connection attempts to closed ports instead of just discarding the requests?
-j REJECT --reject-with tcp-reset
I don't think it undermines my security, and most of this could be discovered with a simple nmap, so here's my setup that uses RST packets:
How to achieve this within the suse firewall? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, Apr 22, 2009 at 08:24:24PM +0200, Christoph Bartoschek wrote:
Hi,
is there an easy way to get the firewall to send RST packages to connection attempts to closed ports instead of just discarding the requests?
For SUSEfirewall2 like this in /etc/sysconfig/SuSEfirewall2: FW_SERVICES_REJECT_EXT="0/0,tcp,113" Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Am Mittwoch, 22. April 2009 schrieb Marcus Meissner:
On Wed, Apr 22, 2009 at 08:24:24PM +0200, Christoph Bartoschek wrote:
Hi,
is there an easy way to get the firewall to send RST packages to connection attempts to closed ports instead of just discarding the requests?
For SUSEfirewall2 like this in /etc/sysconfig/SuSEfirewall2:
FW_SERVICES_REJECT_EXT="0/0,tcp,113"
Thanks -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Am Mittwoch, 22. April 2009 schrieb Marcus Meissner:
On Wed, Apr 22, 2009 at 08:24:24PM +0200, Christoph Bartoschek wrote:
Hi,
is there an easy way to get the firewall to send RST packages to connection attempts to closed ports instead of just discarding the requests?
For SUSEfirewall2 like this in /etc/sysconfig/SuSEfirewall2:
FW_SERVICES_REJECT_EXT="0/0,tcp,113"
Afer looking further in this file I discovered the correct option: FW_REJECT="yes" This will always reject incomming connection requests. Not only for port 113. Thanks Christoph -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (5)
-
Boyd Stephen Smith Jr. -
Christoph Bartoschek -
John Andersen -
Marcus Meissner -
Philip Dowie