Am 30.03.2011 15:00, schrieb Partha Chowdhury: > According to the source from where i got the iptables configuration , > the approach is "Block all incoming connections except for established > connections, then open only specific ports which you want outside world > to connect to". Exactly my philosophy. > About blocking icmp ping, i quote one website as-is: > >> Your system REPLIED to our Ping (ICMP Echo) requests, making it >> visible on the Internet. Most personal firewalls can be configured to >> block, drop, and ignore such ping requests in order to better hide >> systems from hackers. This is highly recommended since "Ping" is among >> the oldest and most common methods used to locate systems prior to >> further exploitation > is what they say is true ? You cannot "hide" yourself on the internet. If you were offline, the next router would reply that your machine is unreachable. By not answering, you not only tell the "attacker" that you are online, you also tell him that you don't know shit about networking. Google it. >> -A INPUT -j REJECT --reject-with icmp-proto-unreachable > > isn't this seem redundant ? I mean icmp is allowed, then except for > established and related connections, a tcp rst packet is sent for all > unwanted tcp traffic and icmp-port-unreachable message is sent for > every unwanted udp packets, right ? Then what packets that rule match ? This properly rejects packets to your IP that are neither ICMP nor TCP nor UDP. >> What is a "malicious port scanner" and how can you stay "secure" from it? >> > I meant to avoid random packets coming from random machines at random > times: > > for example: > one random packet from sys.log > >> IN=eth0 OUT= MAC=20:cf:30:5a:ea:aa:00:00:cd:27:e5:03:08:00 >> SRC=182.177.140.45 DST=172.16.37.164 LEN=48 TOS=0x00 PREC=0x00 TTL=103 >> ID=32623 DF PROTO=TCP SPT=17511 DPT=39384 WINDOW=8192 RES=0x00 SYN URGP=0 And how does that harm you? It is rejected, and the sender now knows that he is sending to the wrong destination (instead of continuously retrying, which he would probably if you DROPped it).
Attachment:
signature.asc
Description: OpenPGP digital signature
