Security Basics mailing list archives

Re: Iptables Clues and Advices.

From: Jeff Harris <jharris () tahongawaka nu>
Date: Wed, 9 Apr 2003 11:51:12 -0700 (PDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It seems to me that DROP would be used for creating the appearance that
your IP isn't in use. If you are providing no services to the internet,
then every port should DROP.

However, if you have any service, even just a ssh server, someone
portscanning you will know that you're there, and a REJECT would be
the correct thing to do.

Jeff.

On Wed, 9 Apr 2003, [iso-8859-1] Julien Roy?re wrote:

I do not agree,
DROP drops the connection, no more action.
REJECT close a connection by GENERATING a packet.
In matter of security they do both the same thing,
but if someone spoof an IP, you may respond and annoy
someone whose IP has been spoofed.
Julien


----- Original Message -----
From: "Jason Dixon" <jasondixon () myrealbox com>
To: <gillettdavid () fhda edu>
Cc: <security-basics () securityfocus com>
Sent: Tuesday, April 08, 2003 6:19 PM
Subject: RE: Iptables Clues and Advices.

For all the folks who illusion that DROP is more secure than REJECT, I
submit the following:

http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject

-J.

On Mon, 2003-04-07 at 20:03, David Gillett wrote:

  There is ONE specific case in which I REJECT rather than
DROP filtered packets:

  Sometimes users behind my firewall need to contact an outside
POP3 email server.  Many such boxes react to such connections by
attempting a connection back to the source on port 113 (identd).
  If I DROP connections to this port, the remote POP3 server
will wait for its request to timeout -- and then try again and
timeout again, two more times.  By REJECTing the connection, I
let the server try and fail and try and fail immediately, and so
my client's download of mail begins much sooner than it would
if I just DROPped those packets.

David Gillett

-----Original Message-----
From: Allan Schon [mailto:allanschon () mckinleymachinery com]
Sent: April 7, 2003 08:53
To: security-basics () securityfocus com
Subject: RE: Iptables Clues and Advices.

it will also result into a mess, because the server will be a
hole in space (regarding the blocked ports). And what are

the benefits

(if there are any) of this practice?


Well, the primary benefit is that attackers scanning for
specific open ports in your ip range will never find your
machine, if you're dropping connection attempts to the target
port.  That's a considerable advantage, I think.  They can't
attack you if they don't know you're there.

Are there any specific disadvantages to DROPing?

-----Original Message-----
From: Andreas Happe [mailto:andreashappe () gmx net]
Sent: Saturday, April 05, 2003 5:29 PM
To: security-basics () securityfocus com
Subject: Re: Iptables Clues and Advices.


In article <1049484753.24055.41.camel () unsigned local fr>,
Pierre BETOUIN wrote:

DROP would be better there because you don't need to

prevent attackers

that this port is filtered.


it will also result into a mess, because the server will be a
hole in space (regarding the blocked ports). And what are the benefits
(if there are any) of this practice?

andreas
--
I tell them to turn to the study of mathematics, for it is only there
that they might escape the lusts of the flesh.
                  -- Thomas Mann, "The Magic Mountain"


-------------------------------------------------------------------
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-security-basics


<b>
-------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection.
http://www.securityfocus.com/SurfControl-security-basics2
Download your free fully functional trial, complete with
30-days of free technical support.
Stop SPAM before it stops you.
-------------------------------------------------------------------
</b>


----

<b>
-------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection.
http://www.securityfocus.com/SurfControl-security-basics2
Download your free fully functional trial, complete with 30-days of free

technical support.

Stop SPAM before it stops you.
-------------------------------------------------------------------
</b>




-------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection.
http://www.securityfocus.com/SurfControl-security-basics2
Download your free fully functional trial, complete with 30-days of free

technical support.

Stop SPAM before it stops you.
-------------------------------------------------------------------



-------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection.
http://www.securityfocus.com/SurfControl-security-basics2
Download your free fully functional trial, complete with 30-days of free technical support.
Stop SPAM before it stops you.
-------------------------------------------------------------------


- -- 
Registered Linux user #304026.
"lynx -source http://jharris.tahongawaka.nu/jharris.asc | gpg --import"
or "gpg --keyserver pgp.mit.edu --recv-key 0xde0241b9"
Key fingerprint   4846 0BE4 5C8B 0DC9 3462  B642 7E77 EC33 DE02 41B9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Made with pgp4pine 1.76

iD8DBQE+lGumfnfsM94CQbkRAvw8AJ937CPwv9ZYqSjyfCYB6oBtOkboZwCgly2l
+/cwonLnCiCLUmfxzQld6Pk=
=2MRG
-----END PGP SIGNATURE-----



-------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection.
http://www.securityfocus.com/SurfControl-security-basics2
Download your free fully functional trial, complete with 30-days of free technical support.
Stop SPAM before it stops you.
-------------------------------------------------------------------

Current thread:

RE: Iptables Clues and Advices., (continued)
- - RE: Iptables Clues and Advices. David Gillett (Apr 08)
    - RE: Iptables Clues and Advices. Jason Dixon (Apr 08)
    - Re: Iptables Clues and Advices. Andres j. Ogayar (Apr 09)
    - RE: Iptables Clues and Advices. Steve Bremer (Apr 09)
    - Re: Iptables Clues and Advices. Salvatore Poliandro (Apr 10)
    - RE: Iptables Clues and Advices. Benjamin Meade (Apr 09)
    - Re: Iptables Clues and Advices. Bryan S. Sampsel (Apr 09)
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Re: Iptables Clues and Advices. Bryan S. Sampsel (Apr 10)
    - Re: RE: Iptables Clues and Advices. Christian Friedl (Apr 09)
    - Re: Iptables Clues and Advices. Julien Royère (Apr 09)
    - Re: Iptables Clues and Advices. Jeff Harris (Apr 10)
    - DROP vs REJECT Re: Iptables Clues and Advices. Chris Travers (Apr 10)
    - VMware & WinXP Firegoblin Postmaster (Apr 12)
- RE: Iptables Clues and Advices. Allan Schon (Apr 09)
- Re: Iptables Clues and Advices. Chris Berry (Apr 10)
- Re: Iptables Clues and Advices. Anduine Crow (Apr 10)
  - Re: Iptables Clues and Advices. Vic Ricker (Apr 10)
- Re: Iptables Clues and Advices. Anduine Crow (Apr 14)