UNWANTED state
Matteo Croce
rootkit85 at yahoo.it
Thu Dec 30 01:39:48 CET 2004
> On Thu, Dec 30, 2004 at 12:42:17AM +0100, Matteo Croce wrote:
> Perhaps you should consider using:
>
> --dport 113 -j REJECT --reject-with tcp-reset
> instead of hacking the kernel to disable icmp rejects?
>
# iptables -I INPUT 1 -p tcp --dport 4567 -j REJECT --reject-with tcp-reset
# hping3 127.0.0.1 -p 4567 -S
HPING 127.0.0.1 (lo 127.0.0.1): S set, 40 headers + 0 data bytes
len=40 ip=127.0.0.1 ttl=255 DF id=0 sport=4567 flags=RA seq=0 win=0 rtt=0
--reject-with tcp-reset sends RST/ACK that are dropped by my firewall
> Why do you care if people get an icmp unreachable when
> the service is down? You aren't making the box more secure IMO by not
> allowing the icmp error outbound.
Tryng to reduce at minimum unneeded traffic is a sort of protection against
DOS.
Let's say i have a 4096/400 ADSL.
Someone with a ~512kbit upload can send me an large amount of data on a closed
port with something like 'hping3 <IP> -S -p <PORT> --flood', and my 400kbit
upload
will be unable to send 512Kbit of RST/ACKs.
If i drop unwanted data, the attacker needs an upload of ~4200Kbit
to dos my box, since he need to fill my download instead of my upload.
And having such a target will avoid open/close ports as needed, since only
used ports are available.
--
.""`. Matteo Croce <rootkit85 at yahoo.it>
: :" : proud Debian admin and user
`. `"`
`- Debian - when you have better things to do than fix a system
More information about the netfilter-devel
mailing list