Yup, On 26-Sep-01 Markus Gaugusch wrote:
You can't with ipchains, but with iptables (kernel 2.4.x). Use return-rst.
**DANGEROUS**
If you rely on return-rst to "secure" open ports all I do is firewall them or ignore them and I can get access to the port in question. Not such a great idea. I don't understand? Why does is there a (firewalling) difference between return-rst (which makes the port look "closed") and "drop" or "reject" (which makes the port look "filtered")
Or is return-rst something completely different?
here we go again... First of all, a quote from the return-rst-1.1 README: --- "This is a firewalling tool, and as such it requires reasonable knowledge of IP and TCP protocols to understand it and use it effectively. Return-RST was written to overcome the lack of an ipchains policy that can return a RESET packet when denying a TCP connection. The DENY policy just drops the packet, and the REJECT policy sends back an ICMP message. Either policy will tip an attacker off to the fact they're being filtered. On the other hand, an RST in response to a TCP SYN packet is what happens when there is no server listening on a port - this program allows you to return this error, so attackers will think that there is no server available." --- Return-rst works in conjunction with ipchains, and no, it's *no* standalone firewalling tool, it does *not* automagically protect anything if not properly implemented. In order to use return-rst you'd have to construct specially designed ipchains rules, like so: ipchains -A input -p tcp -y -o 128 -j DENY -s <attacker> -d <yourhost> 22 The above line protects the ssh port of a server. The option "-o 128" copies the first 128 bytes to the netlink device (the support of which has to be compiled into the kernel). From the netlink device, return-rst (which is a background process/demon) processes the packets and sends an RST (reset) back to the attacker, whose favourite scanner would show a closed port/no listening service. The security relevance of all this depends on the environment in which return-rst is used. Of course, return-rst is no wonder cure against malicious hackers, it helps to reduce lingering portscan connections and keeps away most script kiddies. A proper use would include setting return-rst on ports where only "trusted" IPs have access to, say an administrative ssh service, etc. Hope that sheds more light on the issue.
Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail
Boris Lorenz