Nmap Announce mailing list archives
Re: Best way to block incoming TCP connections?
From: Greg Hinton <zenbum () websalad net>
Date: Sat, 06 May 2000 16:04:20 -0700
Alexander Demenshin wrote:
BTW you still did not explained why policy "ALLOW only what we need and DROP all other" is bad :)
Sorry, I guess I concluded the answer was obvious. "ALLOW only what we need..." is hopelessly vague and therefore useless IMHO. "...DROP all other" is a gross violation of IETF standards. And it makes your ports stick out like swollen thumbs to crackers scanning them. If you wanna drop all other and be non-compliant, then be my guest, there's Protocol Police to arrest you (although Janet Reno is no doubt working on it). But I (and a few others on this list) would like to at least have the OPTION to implement a compliant firewall that encourages crackers to "move along" to the next sucker's system. We're not trying to force anyone to do it our way, we just want the ability to do it THE RIGHT WAY on our own systems.
You also did not explained _how_ it could be used to distinguish really used (and opened) port from the bunch of unused (but filtered).
I don't understand your question. Distinguish to whom? And why do we want to "distinguish"? What my proposal would allow is to transmit a TCP RST packet at those times when either you're supposed to do so, or it is in your best interest to do so. And as I said before, if you choose not to do so, for whatever reasons (maybe because I bought you too many beers), then you're absolutely free to do things the way you've always done them. FREEDOM! How can anyone object to that?
You just cannot predict what kind of attack to expect in future, so you cannot be secure for 100% (you know this already) till you use computers and other kind of electronics.
Well, I agree with the overall philosophy of your statement, we're in a never-ending arms race with the crackers. As long as Sendmail exists there will be compromised systems. ;-) But the details of your statement just aren't true I'm afraid. For example, I can predict with 100% certainty that someone will do an "nmap -sA" scan on your firewall sometime in the near future. (And if I'm wrong then I'll find your IP address and do one myself, just because I refuse to be wrong) ;-)
And again - I am _not_ against your ideas, I just have different opinion and (possibly) expirience :)
Excellent! Then you'll of course sign my "Yes On RST" proposition? ;-) Ugh... at some point I really am gonna do what I promised to do and stop posting on this thread. No, really... Honest! If Rusty hasn't yet been convinced of the simple beauty of my proposal then it's probably hopeless and I should shut up. But I still have a glimmer of hope that if the masses rise up in protest then he'll listen. He is, after all, a rather benevolent dictator. ;-) Take care Al... -- Greg Hinton (aka ZenBum) <zenbum () websalad net> <http://www.websalad.net> "Search for me in the words I failed to find." -- Blaga Dimitrova
Current thread:
- Re: Best way to block incoming TCP connections? Greg Hinton (May 06)
- Re: Best way to block incoming TCP connections? Darren Reed (May 06)
- Re: Best way to block incoming TCP connections? Lennert Buytenhek (May 07)
- Re: Best way to block incoming TCP connections? Michael T. Babcock (May 07)
- Re: Best way to block incoming TCP connections? Lennert Buytenhek (May 07)
- <Possible follow-ups>
- Re: Best way to block incoming TCP connections? Greg Hinton (May 06)
- Re: Best way to block incoming TCP connections? Darren Reed (May 06)