[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: RFE: FireKit

Matthew Woehlke wrote:
> Björn Persson wrote:
> > Matthew Woehlke wrote:
> >> an iptables rule
> >> that allows stuff if there is a socket that will receive it, otherwise
> >> can drop
> >
> > Where's the point in that?
> Stealth? You might as well ask what is the point of using DROP (instead
> of REJECT) at all. Obviously there is a reason or else it wouldn't exist.

That's obscurity, not security. If there's a hole in Sendmail for example, 
then attackers trying to exploit that hole won't start by probing port 26384 
and then connect to port 25 only if they get an RST packet from port 26384. 
They'll go straight on port 25. You're not truly "stealth" unless you drop 
*all* packets, at which point you can just as well unplug the network cable 
(or turn WiFi off with the kill switch).

My personal packet filter drops disallowed packets if either address is a 
multicast or broadcast address. If both addresses are unicast addresses it 
rejects the packet with the "administratively prohibited" code. This makes 
troubleshooting a whole lot easier than if the packets just disappear.

Björn Persson

Attachment: signature.asc
Description: This is a digitally signed message part.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]