RE: Iptables Clues and Advices.

["Allan Schon" <allanschon () mckinleymachinery com>]

OK, so I was gonna fire off a response that argued that the advantages to REJECT mentioned in the article weren't very 
useful, but I Googled the topic, and came up with another advantage to REJECT. If you are sending out the 
host-unreachable response, an attacker will have a tough time spoofing your IP address, unless he can take your 
computer down, somehow.

http://www.linuxsecurity.com/articles/firewalls_article-3055.html

DROP seems more secure, on cursory examination, but the more I dig into it, the more I think that REJECTing might be a 
better policy. I may be reconfiguring my firewall this evening...

Anyone else have any insight into this topic?

-----Original Message-----
From: Jason Dixon [mailto:jasondixon () myrealbox com]
Sent: Tuesday, April 08, 2003 12:20 PM 
To: gillettdavid () fhda edu
Cc: security-basics () securityfocus com
Subject: RE: Iptables Clues and Advices.


For all the folks who illusion that DROP is more secure than REJECT, I
submit the following:

http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject

-J.

On Mon, 2003-04-07 at 20:03, David Gillett wrote:
>   There is ONE specific case in which I REJECT rather than
> DROP filtered packets:
>
>   Sometimes users behind my firewall need to contact an outside
> POP3 email server.  Many such boxes react to such connections by 
> attempting a connection back to the source on port 113 (identd).
>   If I DROP connections to this port, the remote POP3 server
> will wait for its request to timeout -- and then try again and
> timeout again, two more times.  By REJECTing the connection, I
> let the server try and fail and try and fail immediately, and so
> my client's download of mail begins much sooner than it would
> if I just DROPped those packets.
>
> David Gillett
>
>
> > -----Original Message-----
> > From: Allan Schon [mailto:allanschon () mckinleymachinery com]
> > Sent: April 7, 2003 08:53
> > To: security-basics () securityfocus com
> > Subject: RE: Iptables Clues and Advices.
> >
> >
> > > it will also result into a mess, because the server will be a
> > > hole in space (regarding the blocked ports). And what are 
> > the benefits
> > > (if there are any) of this practice?
> >
> > Well, the primary benefit is that attackers scanning for 
> > specific open ports in your ip range will never find your 
> > machine, if you're dropping connection attempts to the target 
> > port.  That's a considerable advantage, I think.  They can't 
> > attack you if they don't know you're there.  
> >
> > Are there any specific disadvantages to DROPing?
> >
> > -----Original Message-----
> > From: Andreas Happe [mailto:andreashappe () gmx net]
> > Sent: Saturday, April 05, 2003 5:29 PM
> > To: security-basics () securityfocus com
> > Subject: Re: Iptables Clues and Advices.
> >
> >
> > In article <1049484753.24055.41.camel () unsigned local fr>, 
> > Pierre BETOUIN wrote:
> > > DROP would be better there because you don't need to 
> > prevent attackers
> > > that this port is filtered.
> >
> > it will also result into a mess, because the server will be a
> > hole in space (regarding the blocked ports). And what are the benefits
> > (if there are any) of this practice?
> >
> > andreas
> > -- 
> > I tell them to turn to the study of mathematics, for it is only there 
> > that they might escape the lusts of the flesh.
> >                   -- Thomas Mann, "The Magic Mountain"
> >
> >
> > -------------------------------------------------------------------
> > SurfControl E-mail Filter puts the brakes on spam,
> > viruses and malicious code. Safeguard your business
> > critical communications. Download a free 30-day trial:
> > http://www.securityfocus.com/SurfControl-security-basics
> >
> >
> > <b>
> > -------------------------------------------------------------------
> > Is SPAM over-loading your e-mail server, disk space or bandwidth?
> > SurfControl E-Mail Filter is flexible, intelligent and policy-driven
> > protection.
> > http://www.securityfocus.com/SurfControl-security-basics2
> > Download your free fully functional trial, complete with 
> > 30-days of free technical support.
> > Stop SPAM before it stops you.
> > -------------------------------------------------------------------
> > </b>
>
> ----

> <b>
> -------------------------------------------------------------------
> Is SPAM over-loading your e-mail server, disk space or bandwidth?
> SurfControl E-Mail Filter is flexible, intelligent and policy-driven
> protection.
> http://www.securityfocus.com/SurfControl-security-basics2
> Download your free fully functional trial, complete with 30-days of free technical support.
> Stop SPAM before it stops you.
> -------------------------------------------------------------------
> </b>



-------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection.
http://www.securityfocus.com/SurfControl-security-basics2
Download your free fully functional trial, complete with 30-days of free technical support.
Stop SPAM before it stops you.
-------------------------------------------------------------------


-------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection.
http://www.securityfocus.com/SurfControl-security-basics2
Download your free fully functional trial, complete with 30-days of free technical support.
Stop SPAM before it stops you.
-------------------------------------------------------------------