Jurgen Kramer <gtm.kramer@xxxxxxxxxxxx> wrote: > On Fri, 2006-01-20 at 19:20 -0300, Horst von Brand wrote: > > Jurgen Kramer <gtm.kramer@xxxxxxxxxxxx> wrote: > > > I noticed that with FC5t2 the iptables firewall still has the -j REJECT > > > --reject-with icmp-host-prohibited rule instead of a more secure -j > > > DROP. > > > What is the reason behind this? > > DROP is extremely rude to the other end, which times out wondering what > > happened to the stuff sent. > Maybe rude but I think this is the default behavior for (most) > commercial firewalls. Simply broken. Get a better one. > Most people will disable icmp echo replies on > machines connected to the net so script kiddies won't find them easily > but if the firewall just answers to every knock on any random port that > won't help. Yes, I have had to suffer at the hands of "security experts" that configured their machines thusly, and so made their networks "impenetrable"... Besides, you can set it up so that it uniformly answers, without regard to having a real machine or not at that IP. Legitimate (stray?) users aren't made to suffer for what to a medium-bright script kiddie is at most a minor annoyance. I don't care if they can find out through a sweep if there is something at a particular IP, there are hundereds of other ways they can use to find out; I /do/ take care that cracking said machines is not trivial, even if they are behind the firewall (and most crackers sit there: Legitimate users have access, know their way around, and are much more probable than the random teenager-in-the-basement cliche to really want to get you; if they don't know how they can certainly enlist specialist outside help...). -- Dr. Horst H. von Brand User #22616 counter.li.org Departamento de Informatica Fono: +56 32 654431 Universidad Tecnica Federico Santa Maria +56 32 654239 Casilla 110-V, Valparaiso, Chile Fax: +56 32 797513 -- fedora-test-list mailing list fedora-test-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list