[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "pf" question

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: "pf" question
From: Dave Edwards <davo_(_at_)_chunga_(_dot_)_apana_(_dot_)_org_(_dot_)_au>
Date: Thu, 26 Sep 2002 18:04:04 +0930 (CST)

'To quote Dirk Rosler..'

> 
> On Wednesday, Sep 25, 2002, at 21:13 Asia/Tokyo, Dave Edwards wrote:
> 
> > The least it will do is make a port scans of your network very tedious.
> 
> That's a fallacy. Everything that would appear as closed will simply  
> appear as filtered. No answer is also an answer. Open ports will still  
> be open. No difference. 

Yep there is.  Suck it and see.  A port scan on a firewall protected
host that returns-rst will complete very quickly and against one
that drops the packets will take yonks - hence "tedious".

> Thus you are far from "stealth", in fact you  
> are revealing extra info to a scanner: "I have a firewalling function  
> in the way", either at an extra hop or on the host itself.

As you point out, stealth is a fallacy, dropped packets mean 
something too.  But it takes a _lot_ longer to find it out!

> Besides the return-rst setup is what keeps being referred to as a "Good  
> Neighbour Firewall":

Hmmm, good for who?  If I'm offering ports 25, 80 and 443, why
are people hitting on 1433?  Are they good neighbors?  Stuff it,
I don't want the packets so I'll drop them on the floor..

FWIW, my concept of a "good neighbor" firewall is one which blocks
_outbound_ by default!

> "The lack of response makes the SYN flood attack more effective.  
> Brenton suggested in a SANS webcast (Brenton 2002) that firewalls could  
> be configured to reject segments destined for protected ports which  
> still entails dropping the packet but in addition sending a RST. This  
> is a _good neighbor_ firewall configuration which if universally  
> applied would make SYN flood attacks ineffective."

I grant you that this makes a good case.  But a lot of methods
have been used at the server and network device end to handle 
SYN floods.  You can't rely on others to protect your network 
services.

> http://216.239.53.100/search?q=cache:jd7kbuoMHOMC:www.giac.org/ 
> practical/ 
> Gerald_Gordon_GSEC.doc+chris+brenton+firewall+return+reset&hl=en&ie=UTF- 
> 8

http://www.whitefang.com/sup/secure-faq.html#GENERAL5

:-)
dave
-- 
Dave Edwards  	           
davo_(_at_)_chunga_(_dot_)_apana_(_dot_)_org_(_dot_)_au || davo_(_at_)_sa_(_dot_)_apana_(_dot_)_org_(_dot_)_au
Adelaide, South Australia                  
----

Prev by Date: zebra on openbsd?
Next by Date: Re: openssl
Previous by thread: OpenBSD hosting in .au?
Next by thread: D-Link DFE-538 on AlphaStation 200 4/233
Index(es):
- Date
- Thread

Visit your host, monkey.org