more stupid network questions

David A. Bandel david
Mon May 17 12:01:20 PDT 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 12 Apr 2004 17:06:20 -0700
Tony Alfrey <tonyalfrey at earthlink.net> wrote:

> On Monday 12 April 2004 11:08 am, David A. Bandel wrote:
> > On Mon, 12 Apr 2004 09:29:01 -0700
> >
> > Tony Alfrey <tonyalfrey at earthlink.net> wrote:
> > > On Monday 12 April 2004 08:44 am, David A. Bandel wrote:
> > > <snip>
> > >
> > > > study away.  What I did was to give you three stateful firewall
> > > > rules that should prevent anyone from connecting on eth0 (change
> > > > to whatever interface you use as your default gateway).  I don't
> > > > like the way the lines got changed, though.  Each line starts
> > > > with 'iptables' and ends with either ACCEPT or DROP.
> > >
> > > Yeah, I figured that out.
> > > Sso I can add this to MY box regardless of what my friend has on
> > > his firewall?
> >
> > Absolutely.  Then no one will be able to connect to you.  There is
> > one more rule you could use, but it's only useful against scans so I
> > omitted it.  Personal firewalls are always a good defense, but the
> > commercial ones like BlackIce, etc., I don't trust.  I trust
> > Firewall-1 (but it's a bit pricey and designed for high-end
> > connections) and I trust Netfilter/IPTables.
> 
> Why would I not want to use something useful against scans?  Isn't
> that a major part of the firewall thing?

There's nothing that can "defeat" a determined scan.  If a system is
connected to a network, even if no ports are open, _something_ is going
to happen.  The scanning system may not be able to "see" you directly,
but the fact that your gateway will "see" your card at the ARP level
will prevent it from sending an ICMP host unreachable.  The mere absence
of that tells a scanner your system is there.

Scans are a daily occurrence.  I get hundreds if not thousands per day. 
Some are innocent (like another mail system scanning my mail system to
see if it really is a mail server - anti-spam programs will do this,
like milter-sender that I use), and some are not.  Paranoia is good if
you don't get too paranoid.

Ciao,

David A. Bandel
- -- 
Focus on the dream, not the competition.
		Nemesis Racing Team motto
GPG key autoresponder:  mailto:david_key at pananix.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAe8bgj31PLQNUbV4RAisgAKCcnOp2XimBEPWzM8oPaSVmo+hjyQCeKn6g
XZru7hjT3HHPGp1SkfjnG3A=
=YWoN
-----END PGP SIGNATURE-----

More information about the Linux-users mailing list