iptables question

Aaron Toponce aaron.toponce at gmail.com
Wed Nov 5 09:41:02 MST 2008


On Wed, Nov 05, 2008 at 07:25:41AM -0700, Hans Fugal wrote:
> Could you explain that in more depth for me? I see how REJECT is nicer
> on the TCP side of things, but I don't see how that makes it preferable
> for security. The conventional wisdom I've always heard is that DROP
> reveals less about your firewall, acts in a small way as a tarpit for
> e.g. portscanners, etc. I think I prefer REJECT personally, so I look
> forward to your arguments.

My limited understanding of TCP is this (if I'm wrong, please correct
me):

When a synchronous TCP packet is sent (SYN), there will always be a
response. If it is any packet other than the last, you will receive an
acknowlegement packet (ACK). If you send a FIN packet (finished with the
established connection), you will receive a reset packet (RST).

If the host does not exist, your client will notify you as such. If the
port is blocked, your client will notify you. In fact, in every scenario
I can think of regarding TCP, you always receive a response back-
regardless of the packet being sent.

So, my understanding, is that if you're dropping packets- not sending
back any acknowlegement, then it's obvious you're doing so, and you're
running a firewall. At which point, I just need to figure a way through
or around it. If you're sending packets back, rejecting the packets,
then you're behaving more like a standard TCP implementation. The only
question remains as to what reason you're sending for rejecting the
packets, be ICMP port, network, host or protocol unreachable, ICMP host
or network prohibited or reject with TCP reset. I'm sure some reasons
can produce better obscurity than others.

However, DROP always advertises itself, even if you're not sending
packets back. From my perspective, it's a Big Red Bullseye, where REJECT
could mean a number of things, not necessarily advertising that a
firewall exists. Further, as already discussed, DROP adds lengthy
timeouts to applications, and could be an annoyance for the honest.

Of course, if an attacker already knows you exist, these are just speed
bumps to the dedicated. But, for reconnaissance, REJECT could keep a
stealth attack from becoming effective.

-- 
                       _
Aaron Toponce         ( )  ASCII Ribbon Campaign
www.aarontoponce.org   X   www.asciiribbon.org
                      / \
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: Digital signature
Url : http://plug.org/pipermail/plug/attachments/20081105/0ed313ab/attachment.bin 


More information about the PLUG mailing list