AW: Iptables Clues and Advices.

From: Michael Kluge <michael.kluge(at)wundermedia.de>
Date: Fri Apr 11 2003 - 04:32:59 EDT

Hi!

I think DROP gives indeed some kind of extra security over REJECT. Most scanners are used on networks not on specific hosts. These scanners (like nmap) usually try to ping (icmp or TCP) each host in
a network. Only hosts answering are scanned. So if you use DROP in many cases your host will not be found and therefore
be no subject of attack.
At least it will keep off a lot of script-kiddies.

It is true that if you provide any service to the internet, your host CAN be found by portscanning. But it's not true that it WILL necessarily be found by portscanning if you use DROP. If using REJECT it usually will be found! And this is exactly the difference of these two methods and IMHO the best reason to use DROP. A legitimate user won't run into any problems as a legitimate user will only connect to open ports.

The only port I use REJECT for, is TCP 113 (ident), because many services
(eg. many ftp servers) try to connect to this port.

Michael.

> -----Ursprüngliche Nachricht-----
> Von: Jeff Harris [mailto:jharris@tahongawaka.nu]
> Gesendet: Mittwoch, 9. April 2003 20:51
> An: security-basics@securityfocus.com

---

Is SPAM over-loading your e-mail server, disk space or bandwidth? SurfControl E-Mail Filter is flexible, intelligent and policy-driven protection.
http://www.securityfocus.com/SurfControl-security-basics2 Download your free fully functional trial, complete with 30-days of free technical support. Stop SPAM before it stops you.

---

Received on Mon Apr 14 14:43:04 2003