Firewall Wizards mailing list archives
Re: NAK dropped SYN-packets to sender?
From: "Perry E. Metzger" <perry () piermont com>
Date: 09 Aug 1999 17:52:56 -0400
"Frank Heinzius" <frimp () mms de> writes:
our Firewall normally silently drops unauthorized packets from the Internet. It it also possible to send back an ICMP unrechable to the originator. Both methods have their advantage: silent dropping gives you an additional kinda "security by obscurity" level. The disadvantage is that TCP stacks from the originator will do a couple of retransmits due to the timeouts. If I sent ICMP unreachable, the attacker knows that there is a firewall mechanism which make port scans very fast (if based on SYN-ACK). On the other hand, I donĀ“t have to deal with retransmits. What is the common and/or most recommended way?
I'm not a big believer in the "security from obscurity" features that dropping ICMP unreachables. However, if you are going to do that, at least send "unreachables" for a few common undesirable services, like the horrible "ident" protocol, which would otherwise result in delays for things like mail delivery out of your firewall. (Unfortunately, lots of SMTP MTAs now do an ident query back to a host sending mail, and dropping those idents silently instead of with the ICMP will result in major mail delays for you, among other things...) Perry
Current thread:
- NAK dropped SYN-packets to sender? Frank Heinzius (Aug 09)
- Re: NAK dropped SYN-packets to sender? Perry E. Metzger (Aug 10)
- Re: NAK dropped SYN-packets to sender? Frank Heinzius (Aug 10)
- Re: NAK dropped SYN-packets to sender? Matt Curtin (Aug 10)
- Re: NAK dropped SYN-packets to sender? Perry E. Metzger (Aug 10)