On Tue, Jan 3, 2012 at 9:31 AM, Marc Deop <damnshock@xxxxxxxxx> wrote:
>
>> Openvpn runs over UDP. With the tls-auth option it won't respond to
>> an unsigned packet. So without the key you can't tell the difference
>> between a listening openvpn or a firewall that drops packets silently.
>> That is, you can't 'find' it.
>
> We are not going to argue drop vs reject, are we? :P
It follows the usual pattern: dropping is more secure in that you
can't tell if anything is there at all where rejecting is more
convenient because attempts to open a connection don't have to wait
for timeouts. Pick the one that meets your specific need.
--
Les Mikesell
lesmikesell@xxxxxxxxx
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
Re: an actual hacked machine, in a preserved state
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- To: Marc Deop <damnshock@xxxxxxxxx>
- Subject: Re: an actual hacked machine, in a preserved state
- From: Les Mikesell <lesmikesell@xxxxxxxxx>
- Date: Tue, 3 Jan 2012 09:48:03 -0600
- Cc: centos@xxxxxxxxxx
- Delivered-to: centos@xxxxxxxxxx
- In-reply-to: <49098045.7blqfgv2LH@fingolfin>
- References:
- an actual hacked machine, in a preserved state
- From: Bennett Haselton
- Re: an actual hacked machine, in a preserved state
- From: Bennett Haselton
- Re: an actual hacked machine, in a preserved state
- From: Les Mikesell
- Re: an actual hacked machine, in a preserved state
- From: Marc Deop
- an actual hacked machine, in a preserved state
- Prev by Date: Re: an actual hacked machine, in a preserved state
- Next by Date: Re: Passwords apparently stopped working.
- Previous by thread: Re: an actual hacked machine, in a preserved state
- Next by thread: Re: an actual hacked machine, in a preserved state
- Index(es):
 |