-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 23 Jun 2005, Jan Engelhardt wrote:
turns on those detections and rejections within the kernel, as well as
perhaps adding a rule or two to DROP INVALID packets they should be
covered, should they not? And thus with far less resource over head as
extensive rules in their ruleset?
That depends on what you want.
what we want is for the firewall to be imune to invalid packets generated by
these kinds of scans, yes? to not give out port information when hits with
I do not give out port information. At least, I do not give correct port
information, which is just as much gain.
REJECT is the ind way to end a connection and does not slow an automated
scanner one bit, while a DROP lets that attack tool keep the socket open on
Read closely. It uses -m random to switch between REJECT/DROP.
Try that rulesets and then nmap yourself with "nmap -r localhost -p 1-2500".
Count the time, and compare to a pure DROP based approach.
(iptables -F; iptables -P INPUT DROP; nothing more)
it;s end and tries to wait for feedback from the other end, and thus slows or
Surprisingly no. The REJECT/DROP mix confuses nmap more than a plain DROP. See
above.
Interesting this use of random. I'll have to play with it when I get that
rare bit of spare time for testing and fooling about with things not in
prod or requirening immediate attention to fix! Which tend to be even
more rare these days in our understaffed env. But, your reports of this
random further confusing the scanner and slowing it down are extremely
interesting...
Thanks,
Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFCvCP6st+vzJSwZikRAm5lAKC0NUYKngyDpRzPcdbli2+F17xmIgCgvm5J
6Ck0P7LOcsqflFJllb5e1vU=
=Gzgq
-----END PGP SIGNATURE-----