Mailinglist Archive: opensuse-security (192 mails)

< Previous Next >
Re: [suse-security] IPChains
  • From: Gerhard Sittig <Gerhard.Sittig@xxxxxxx>
  • Date: Sun, 28 May 2000 22:24:28 +0200
  • Message-id: <20000528222428.S2305@xxxxxxxxxxxxx>
On Sun, May 28, 2000 at 18:07 +0200, Steffen Dettmer wrote:
> * Gerhard Sittig wrote on Sat, May 27, 2000 at 22:18 +0200:
> >
> > BTW I'm aware of the fact that denied packets "reveal"
> > there's some kind of filter in between, attracting the kids
> > like locked doors to forbidden rooms ...
>
> Why should this happen? I would assume, that kids would think
> they hit a machine that is currently down or unused IP/DNS
> Name.

Portscanning a machine with some ports open and some denied (i.e.
without reaction) will tell you there's some blocker in between,
usually a packet filter. Of course denial slows the scan (it's
running to timeouts instead of getting quick responses). But
rejecting will make you subject to fingerprinting.

Although I'm not *that* sure of all these things, I simply got
used to
- pass the valid services
- deny the others and
- reject auth (tcp 113) only to not slow down SMTP delivery and
others curious about these things (but still not relying upon
them, so I don't break anything)

Feel free to tell me I'm wrong, chances are quite overwhelming
that I am. :) Luckily I'm just an average user and not a "real"
admin. :>

> I usually don't use packet deny but reject. Since all packets
> become rejected, and ICMPs become generated, I cannot imagine
> what could attract some kids or whoever. They see a firewall
> only, not more.

Here's what I got from reading the ipfilter HowTo which has a lot
of general firewalling stuff, too. (I guess I have to dig up the
URL, it could be recommended reading. Unless somebody else
already has it handy and can deliver it faster than me.)

Rejecting closed TCP ports and sending icmp-unreach for closed
UDP ports and ICMP requests will make the machine look like it
would without the filter. Denying will reveal that there's
something blocking, making the kids think "something's wrapped,
it's precious and interesting for me". But it turns out to be
left to the admin's personal taste to choose between denial and
rejection.

> > Any decent firewall (or even the TCP stack) should drop
> > corrupted and malformed packets even before the header fields
> > are looked at and used to base decisions upon.
>
> Are you sure, that a fragmentated ICMP is corrupt always? Maybe
> there are some ways/nets with a very small MTU?

There I was writing quicker than I was with reading. :(
Fragmented ICMP packets aren't (necessarily) corrupted. But I
had in mind an Bugtraq article of the last days where a cracker
misused artificially wrongly fragmented ICMP to fool TCP stacks.
It seems to be necessary to always defragment everything on a
firewall. Trying to cut corners often turns out to fail sooner
or later. And by employing path MTU discovery fragmentation
should even become uncommon and avoidable. Maybe one even should
drop fragmented packets in general, as well as too short packets
to be real and source routed packets where the workstation (or
origin) thinks to be more clever than the routers about routing?


virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@xxxxxxx
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.

< Previous Next >