[ previous ] [ next ] [ threads ]
 From:  Frederick Page <fpage at thebetteros dot oche dot de>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Reject or Deny?
 Date:  Tue, 28 Jun 2005 13:58:36 +0200
Hallo Chris,

Chris Buechler schrieb am 27. June 2005:

>Any firewall should be (IMO) completely stealth by default, invisible
>from anyone probing the Internet.

Gee Chris, I am very much surprised to read this from somebody like
you. As you know, there is no such thing as "stealth", a timeout is
just as good a confirmation as a reject. If there really was no
host, the router in front of it would have said "nobody here".

I agree that a timeout annoys a possible intruder more than a reject.

But what those "stealth" people do (your words: "invisible from anyone
probing"), is ruin good things like Path MTU discovery, because they
also block ICMP type 3 (fragmentation needed, but DF flag set).

>If you want to be polite, sure, use reject. But the Internet hasn't
>been a polite place for quite some time.

That is no good reason to be just as rude? You don't mug people just
because that's quite common around your neighbourhood? Anyway: I still
see your point, so why not e.g. reject the primary ports <1024 and
deny everything above?

>If you have ports open, they're going to find them either way, and if
>you don't, it's not giving them much of anything to know there's
>actually a host alive there vs. no host there.

Gee Chris, there is no such thing as "stealth". A timeout means the
machine is there, just as a reject.

Best regards   Frederick