[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: nmap FIN Stealth
From:       Manuel Kasper <mk () neon1 ! net>
Date:       2002-12-29 9:28:10
[Download RAW message or body]

On 29.12.2002 1:47, "Alejandro Valdez" <avaldez@arroba.com.ar> wrote:

> Thank you for your post.
> 
> I don't understand, why return the proper reply is give more
> information about my firewall?.
> 
> I think that returning the RST packets will hide my firewall, I'm
> wrong?.

It depends. OK, if there are some ports open to inbound connections, not
returning anything for all other ports will make it clear that there's a
firewall. But as long as you don't return anything to denied packets, one
can never be sure. Returning RSTs for all other ports will make the firewall
look like a single unfirewalled host to the Internet. However if you don't
have any ports open to inbound connections and don't return RSTs (or ICMP
destination host unreachable messages, for that matter), your firewall host
won't seem to exist on the Internet at all. Which is a Good Thing [tm].

However, the point is that if you start returning answers to denied packets,
you make life easier for people trying to DoS you, as you're actively
helping them (--> you produce at least one outbound packet for each incoming
one).

OK, I know this is all a bit paranoid... But each and every commercial
firewall I've seen so far (and that's a lot) just drop denied packets
without returning any answer in the default setting, and most firewall
guides recommend the same, too...

Greets,

Manuel

[prev in list] [next in list] [prev in thread] [next in thread]