gracefull rst.

Pol Muaddib muaddib@mailandnews.com
Sun, 5 Aug 2001 14:30:46 +0200 

Hi Nigel,
I will describe it again, if you misunderstood me.
port 113 which is the ident service, is used by many servers to log some
info about you and then let you in.
If your port drops these packets, the server will timeout, and the
connection(for example 6667 or 21) will drop as a result. If you however use
RST, some servers will let you in but proclaim it did not find ident, but
others will just drop the connection saying "come back with your id or get
lost". I propose, why not put something like a finger message to a
designated port like the above 113 and have a programmable ident, and
numerable other services that could enjoy these features. but that's just
me, you don't have to agree to that.
Anyway, in regards to your claim that packets could still be sent back, i
say(and you are free to correct me), so what. this port was meant to be
opened, and i don't care it will send me even fragmented packets, since this
is what so great about iptables, it reassembels packets on the fly. iptables
will not let it play you for a fool like the old ftp PORT attack.
In regard to DDOS, this all talk about closing some ports or anything like
that is futile. It's all short term anyway. with the release of windowsXP
all hell is gonna break loose on the internet. XP has it's 'unix socket'
fully implemented like in unix and windows 2000. imagine what it would be
like when infected sub7 machines will spoof their address when attacking and
also be able to perform syn attacks which they WEREN'T able to do in
win95,98,whatever garbage windows releases without taking any liability for
the damages. Personally i LIKE microsoft since they make me a lot of work :)
security and stuff. KEEP UP THE GOOD WORK :)

Damn, i talk too much about a trivial seamingly dumb question and suggestion
that could be solved with a simple perl script :).

* - * - *
Tzahi Fadida
Tzahi@mailandnews.com
Fax (+1 Outside the US) 240-597-3213
* - * - * - * - * - *


-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org]On Behalf Of Nigel Morse
Sent: Monday, August 06, 2001 12:12 PM
To: muaddib@mailandnews.com; Radel; netfilter@lists.samba.org
Subject: Re: gracefull rst.


> My line of thinking was, if there was any module developed for iptables
that
> can be programmed to return a short message when opening a port (say 113).
> for example, open port 113 -> "go away" -> close.

But RST is the go away message isn't it? If you don't want connections to
that port then don't allow them.. why let them get as far as opening it -
( i.e. why do you want to do this?)
Also as I said before - whilst you can close the conection of data flow from
your computer to the remote machine, they CAN still send data and you can
still recieve it.  This is at least my understanding.

Cheers
Nigel