[Courses] Re: [Courses][Security] return RST

Raven, corporate courtesan raven at oneeyedcrow.net
Tue Mar 26 21:30:20 EST 2002


Heya --

Quoth Hamster (Tue, Mar 26, 2002 at 04:58:08PM +0100):
> Is there such a thing available for 2.4 (iptables) kernels, and if so, I'd be interested in the hearing the advantages/disadvantages in disguising the fact that you've got a firewall.
 
	Yep -- this capability is actually native to iptables, so you
don't need a separate program to do it.  I think it's about time we
started with syntax of firewalling anyway.  The flag -j REJECT
--reject-with tcp-reset in a firewall rule will do that for you.  So,
for example, 

iptables -A INPUT -p tcp -s 0/0 -j REJECT --reject-with tcp-reset

makes a rule that takes any incoming packet that's TCP, from any source
IP address/netmask, and rejects it with a TCP reset.  If this is how you
want your firewall to behave, this is a good rule for the end of your
ruleset after you've permitted or redirected all the tcp ports that you
want to allow.  (Make sure to allow established connections explicitly
before this rule, or your client programs won't work.)

	Advantages: nobody knows you've got a firewall (at least, to a
cursory look.  They may suspect or fingerprint.).  Disadvantages: nobody
knows you've got a firewall.  [grin]  It depends on the psychology of
your attacker -- is a firewall going to make them go "Oooh, too hard,
I'll look for easier prey" or "Oooh, there must be something good
there"?  There is much debate on this subject.

Cheers,
Raven
 
"Incoming packet over rabbit. SYN."
"Incoming packet over duck. quACK!"
  -- me and Tiff, flinging stuffed animals and tech humor



More information about the Courses mailing list