From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LxP7V-0003w1-Gk for garchives@archives.gentoo.org; Fri, 24 Apr 2009 17:23:25 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 326FDE02A9; Fri, 24 Apr 2009 17:23:24 +0000 (UTC) Received: from mx01.admin-box.com (mx01.admin-box.com [78.47.249.108]) by pigeon.gentoo.org (Postfix) with ESMTP id AEB5EE02A9 for ; Fri, 24 Apr 2009 17:23:23 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mx01.admin-box.com (Postfix) with ESMTP id D252F2024B32 for ; Fri, 24 Apr 2009 19:23:22 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mx01.admin-box.com Received: from mx01.admin-box.com ([127.0.0.1]) by localhost (mx01.admin-box.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RStj73qQCH1w for ; Fri, 24 Apr 2009 19:23:18 +0200 (CEST) Received: from [192.168.0.137] (e178057234.adsl.alicedsl.de [85.178.57.234]) (Authenticated sender: daniel@troeder.de) by mx01.admin-box.com (Postfix) with ESMTPSA id E150E2024B30 for ; Fri, 24 Apr 2009 19:23:17 +0200 (CEST) Subject: Re: [gentoo-user] Is this firewall safe? From: Daniel Troeder To: gentoo-user@lists.gentoo.org In-Reply-To: <49F1F017.10302@cdf123.net> References: <93d30e950904240828t6e20bd22v2946d302c2cc5843@mail.gmail.com> <49F1F017.10302@cdf123.net> Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-LWmI+TEEJ58e+xEKuzmg" Date: Fri, 24 Apr 2009 19:23:16 +0200 Message-Id: <1240593796.13872.20.camel@mayo.local> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 X-Mailer: Evolution 2.24.5 X-Archives-Salt: 3f8f4f46-d160-4fd0-ad07-ec3436363496 X-Archives-Hash: 3c76cdf5de9a9e2418afc1d343df334e --=-LWmI+TEEJ58e+xEKuzmg Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Fri, 2009-04-24 at 12:00 -0500, Chris Frederick wrote: > I would also get rid of the REJECT targets. It's better to DROP > instead. If someone is scanning the network, and you start sending icmp > rejections back, they will know you are there and may try other > techniques to break through your defenses, but if you DROP and send > nothing back, it will be much harder for them to see you at all. While all that is correct, I would also consider it "bad network behavior" (no offense intended). It feels like "security through obscurity". It may hamper the well-working of a TCP/IP network, as that relies heavily on ICMP. Probably it will never be a problem for you, but it could be a problem for a network administrator. Also: if you wish to scan (nmap) yourself to check your system (configuration), you'll wish for REJECT instead of DROP :) On a (not so) different topic: If you're going to make your firewall more complex (more services, or other stuff), I'd suggest to use a widely used firewall script. That is more secure than writing your own firewall configuration, because in the long run it will be better maintainable (and they often also do "smart stuff(TM)" ;) My recommendation is "net-firewall/shorewall". It has a well balanced abstraction/granularity-ratio, and the produced iptable-rules are still readable :) Bye, Daniel --=20 PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=3D0xBB9D4887&op=3Dget # gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887 --=-LWmI+TEEJ58e+xEKuzmg Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (GNU/Linux) iEYEABECAAYFAknx9YQACgkQg3+4tbudSIezSwCghB2S2ED3g9nr6HcH3xaXA8iT Vw4An3L0lKyhijfc9/JFNNrf+lpwi95V =svjF -----END PGP SIGNATURE----- --=-LWmI+TEEJ58e+xEKuzmg--