Re: [SLUG] i put up my shields

From: patrick (patrick@llc.net)
Date: Mon May 14 2001 - 17:15:34 EDT


On Monday 14 May 2001 09:42 am, you wrote:
> On Mon, 14 May 2001, patrick wrote:
> > > > i installed my Mandrake firewall. i checked at the
> > > > place somebody sent us to and the only open
> > > > port is smtp. shields up :)
> >
> > On Monday 14 May 2001 12:14 am, you wrote:
> > > I prefer the lynksys router/firewall. Simple to use and does not
> > > respond to port probes, but rather drops the unwanted/unathorized
> > > packets. Many software firewalls will "refuse" connections. I find
> > > more comfort in the firewall ignoring the probes rather than a refusal.
> > > Never let your opponent know your there. Showing your firepower can
> > > reveal
> > > vulnerbailities
> >
> > actually my mandrake shields were not showing themselves.
> > the probe place said they were stealthed. when a probe
> > was sent nothing came back. no response. my shields
> > refused nothing.
>
> ah-ha, but the catch is that since smtp was alloed, then the cracker knows
> that a machine is there... and that it is highly protected. hmm.. might
> contain valuable informations... death star plans... McDonald's secret
> french fry formula... etc... :) and if this is a home firewall - is there
> an MX record that points to your machine (for smtp)? you don't need smtp
> to be open on the outside is you aren't running a mail server that the
> outside needs to contact :)

the shields said this. it said that my machine was not seen
from the internet. the reason it knew i had one port open
is because i was using them to check my machine. it said
something to the effect that in order to get into my machine
that whoever would have to watch the complete internet
to find me or something like that. shields up and stealth
shields no less.
>
> if this is a home firewall, it might an idea (if you are already listening
> on the outside) to refuse tcp connection attempts with --reject-with
> tcp-reset, which sends a RST packet back - the same packet you get if
> nothing is listening at all. the refuse-with-nothing method, IMHO, is ok
> for hosts that don't listen on the outside... or only listen on the
> inside, but if you have one port open (and a popular one like smtp at that
> - which is scanned for in a standard nmap scan), then you are highly
> visible already and refuse-with-nothing on the other ports is just proof
> of a firewall which might be hiding something more interesting.
>
> just a thought...



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:34:41 EDT