Re: Best way to block incoming TCP connections?

[Greg Hinton <zenbum () websalad net>]

Alexander Demenshin wrote:
>   BTW you still did not
>   explained why policy "ALLOW only what we need and DROP all other" is bad :)

Sorry, I guess I concluded the answer was obvious.

"ALLOW only what we need..." is hopelessly vague and therefore useless
IMHO.

"...DROP all other" is a gross violation of IETF standards.  And it makes
your ports stick out like swollen thumbs to crackers scanning them.  If
you wanna drop all other and be non-compliant, then be my guest, there's
Protocol Police to arrest you (although Janet Reno is no doubt working on
it).  But I (and a few others on this list) would like to at least have
the OPTION to implement a compliant firewall that encourages crackers to
"move along" to the next sucker's system.  We're not trying to force
anyone to do it our way, we just want the ability to do it THE RIGHT WAY
on our own systems.

>   You also did not explained _how_ it could be used to distinguish really used
>   (and opened) port from the bunch of unused (but filtered).

I don't understand your question.  Distinguish to whom?  And why do we
want to "distinguish"?

What my proposal would allow is to transmit a TCP RST packet at those
times when either you're supposed to do so, or it is in your best interest
to do so.  And as I said before, if you choose not to do so, for whatever
reasons (maybe because I bought you too many beers), then you're
absolutely free to do things the way you've always done them.

FREEDOM!  How can anyone object to that?

>   You just cannot predict what kind of attack to expect in future, so
>   you cannot be secure for 100% (you know this already) till you use computers
>   and other kind of electronics.

Well, I agree with the overall philosophy of your statement, we're in a
never-ending arms race with the crackers.  As long as Sendmail exists
there will be compromised systems. ;-)  But the details of your statement
just aren't true I'm afraid.  For example, I can predict with 100%
certainty that someone will do an "nmap -sA" scan on your firewall
sometime in the near future.  (And if I'm wrong then I'll find your IP
address and do one myself, just because I refuse to be wrong) ;-)

>   And again - I am _not_ against your ideas, I just have different opinion
>   and (possibly) expirience :)

Excellent!  Then you'll of course sign my "Yes On RST" proposition? ;-)

Ugh... at some point I really am gonna do what I promised to do and stop
posting on this thread.  No, really... Honest!

If Rusty hasn't yet been convinced of the simple beauty of my proposal
then it's probably hopeless and I should shut up.  But I still have a
glimmer of hope that if the masses rise up in protest then he'll listen. 
He is, after all, a rather benevolent dictator. ;-)

Take care Al...

-- 
Greg Hinton (aka ZenBum)
<zenbum () websalad net>      <http://www.websalad.net>
"Search for me in the words I failed to find."  -- Blaga Dimitrova