Matteo Croce rootkit85 at yahoo.it
Thu Dec 30 01:39:48 CET 2004

> On Thu, Dec 30, 2004 at 12:42:17AM +0100, Matteo Croce wrote:
> Perhaps you should consider using:
> --dport 113 -j REJECT --reject-with tcp-reset
> instead of hacking the kernel to disable icmp rejects?

# iptables -I INPUT 1 -p tcp --dport 4567 -j REJECT --reject-with tcp-reset
# hping3 -p 4567 -S
HPING (lo S set, 40 headers + 0 data bytes
len=40 ip= ttl=255 DF id=0 sport=4567 flags=RA seq=0 win=0 rtt=0

--reject-with tcp-reset sends RST/ACK that are dropped by my firewall

> Why do you care if people get an icmp unreachable when
> the service is down?  You aren't making the box more secure IMO by not
> allowing the icmp error outbound.

Tryng to reduce at minimum unneeded traffic is a sort of protection against 
Let's say i have a 4096/400 ADSL.
Someone with a ~512kbit upload can send me an large amount of data on a closed 
port with something like 'hping3 <IP> -S -p <PORT> --flood', and my 400kbit 
will be unable to send 512Kbit of RST/ACKs.
If i drop unwanted data, the attacker needs an upload of ~4200Kbit
to dos my box, since he need to fill my download instead of my upload.

And having such a target will avoid open/close ports as needed, since only 
used ports are available.

  .""`.     Matteo Croce <rootkit85 at yahoo.it>
 : :"  :    proud Debian admin and user
 `. `"`
   `-  Debian - when you have better things to do than fix a system

More information about the netfilter-devel mailing list