Date: Sun, 30 Nov 2003 16:00:24 -0500 From: Louis LeBlanc <freebsd@keyslapper.org> To: freebsd-questions@freebsd.org Subject: Re: adaptive stealth in ipfw? Message-ID: <20031130210023.GA17776@keyslapper.org> In-Reply-To: <20031130154952.GE3867@freepuppy.bellavista.cz> References: <20031128165951.GA44168@keyslapper.org> <86brqws9jn.fsf@borg.borderworlds.dk> <20031128175832.GB44168@keyslapper.org> <20031130154952.GE3867@freepuppy.bellavista.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/30/03 04:49 PM, Roman Neuhauser sat at the `puter and typed: > > <SNIP> > > Still, if anyone *does* know the facts, I'd like to know what the > > case really is with the IDENT port and adaptive stealth. > > don't get carried away by the nonsense at grc.com. the > marketroid-speak term "adaptive stealth" can be normally > described as stateful filtering (and dropping the packets > instead of rejecting them), and it means that (in case of TCP), > the target machine throws away packets that: > > * don't have the SYN bit set (and the ACK bit unset) > * are not part of an established "conversation" I think that clears things up a little. > you can completely "stealth" a machine if it runs no publically > available servers. the problem with ident is similar to FTP: the > first connection goes from you out, the other party then tries > to connect to you (as far as the stack is concerned, this is a > completely unrelated connection). > > but, the question is: what is your problem? why do you need to > have identd(8) running? will anything you need break without it? > if not, the correct solution to your problem is IMO to *reject* > connection attempts to your port 113. I don't need identd. I'm actually doing a simple reject on port 113 already, but I figured that if I could keep the system as 'invisible' as possible, that would be best. I AM running various services, but only for my own personal/family use. And I am the only one that should be accessing all of these services from outside the firewall. I had wondered if there was enough benefit to this process to make it worth the overhead. I'm beginning to think it isn't. I've not been a security overreactor for some time, and I didn't intend this to be a return to that mindset, so I'm just going to drop this and leave the default reject on port 113. The other ports I had rejected are now simply being dropped. Other than that, I check my security mailings every day, and have had no problems for a very long time. Thanks for the feedback everyone. Lou -- Louis LeBlanc leblanc@keyslapper.org Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ "If value corrupts then absolute value corrupts absolutely."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031130210023.GA17776>