[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: "pf" question
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: "pf" question
- From: Dave Edwards <davo_(_at_)_chunga_(_dot_)_apana_(_dot_)_org_(_dot_)_au>
- Date: Thu, 26 Sep 2002 18:04:04 +0930 (CST)
'To quote Dirk Rosler..'
> On Wednesday, Sep 25, 2002, at 21:13 Asia/Tokyo, Dave Edwards wrote:
> > The least it will do is make a port scans of your network very tedious.
> That's a fallacy. Everything that would appear as closed will simply
> appear as filtered. No answer is also an answer. Open ports will still
> be open. No difference.
Yep there is. Suck it and see. A port scan on a firewall protected
host that returns-rst will complete very quickly and against one
that drops the packets will take yonks - hence "tedious".
> Thus you are far from "stealth", in fact you
> are revealing extra info to a scanner: "I have a firewalling function
> in the way", either at an extra hop or on the host itself.
As you point out, stealth is a fallacy, dropped packets mean
something too. But it takes a _lot_ longer to find it out!
> Besides the return-rst setup is what keeps being referred to as a "Good
> Neighbour Firewall":
Hmmm, good for who? If I'm offering ports 25, 80 and 443, why
are people hitting on 1433? Are they good neighbors? Stuff it,
I don't want the packets so I'll drop them on the floor..
FWIW, my concept of a "good neighbor" firewall is one which blocks
_outbound_ by default!
> "The lack of response makes the SYN flood attack more effective.
> Brenton suggested in a SANS webcast (Brenton 2002) that firewalls could
> be configured to reject segments destined for protected ports which
> still entails dropping the packet but in addition sending a RST. This
> is a _good neighbor_ firewall configuration which if universally
> applied would make SYN flood attacks ineffective."
I grant you that this makes a good case. But a lot of methods
have been used at the server and network device end to handle
SYN floods. You can't rely on others to protect your network
davo_(_at_)_chunga_(_dot_)_apana_(_dot_)_org_(_dot_)_au || davo_(_at_)_sa_(_dot_)_apana_(_dot_)_org_(_dot_)_au
Adelaide, South Australia
Visit your host, monkey.org