iptables question

Charles Curley charlescurley at charlescurley.com
Wed Nov 5 22:01:57 MST 2008

On Wed, Nov 05, 2008 at 09:41:02AM -0700, Aaron Toponce wrote:
> On Wed, Nov 05, 2008 at 07:25:41AM -0700, Hans Fugal wrote:
> > Could you explain that in more depth for me? I see how REJECT is nicer
> > on the TCP side of things, but I don't see how that makes it preferable
> > for security. The conventional wisdom I've always heard is that DROP
> > reveals less about your firewall, acts in a small way as a tarpit for
> > e.g. portscanners, etc. I think I prefer REJECT personally, so I look
> > forward to your arguments.
> My limited understanding of TCP is this (if I'm wrong, please correct
> me):
> When a synchronous TCP packet is sent (SYN), there will always be a
> response. If it is any packet other than the last, you will receive an
> acknowlegement packet (ACK). If you send a FIN packet (finished with the
> established connection), you will receive a reset packet (RST).
> If the host does not exist, your client will notify you as such. If the
> port is blocked, your client will notify you. In fact, in every scenario
> I can think of regarding TCP, you always receive a response back-
> regardless of the packet being sent.

So far so good. But the key difference is where that response
originates. If the host does not exist, the response originates at
your computer, and it tells you that the host does not exist.

If the host does exist and drops packets (rather than replying to
them), you can't tell the difference between that and no host at that
address. A cracker could scan all 128K ports (64K x UDP and TCP). But
she'd find lightly scanning each of a lot of IP addresses a more
"productive" use of her time.

If the host is a big web server, the cracker will find it as soon as she
probes port 80, and stealth mode on the rest of its ports is

If the host is on the Internet and running no visible services (a
typical home computer), then stealth mode (dropping all incoming
packets that aren't part of a connection the host initiated) is just
the thing. Sending back a reject is the IP equivalent of the coyote
saying, "nobody here but us chickens, boss."

> However, DROP always advertises itself, even if you're not sending
> packets back. 

How does dropping advertise? Precisely because it drops packets it
does not advertise. 

> Of course, if an attacker already knows you exist, these are just speed
> bumps to the dedicated.

Yup. So not letting her know you exist strikes me as a real good idea.


Charles Curley                  /"\    ASCII Ribbon Campaign
Looking for fine software       \ /    Respect for open standards
and/or writing?                  X     No HTML/RTF in email
http://www.charlescurley.com    / \    No M$ Word docs in email

Key fingerprint = CE5C 6645 A45A 64E4 94C0  809C FFF6 4C48 4ECD DFDB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://plug.org/pipermail/plug/attachments/20081105/bc3dd2e7/attachment.bin 

More information about the PLUG mailing list