On Mon, 2003-07-28 at 12:54, Rodrigo Barbosa wrote: > My reasoning is that you have to trust your firewall. Sooner or later, the > atacker will bruteforce it. So, the longer it takes for the > attacker to understand there is a firewall there, the better. That is > why I'm considering using tcp-reset. This way, the attacker will hit > the traps faster. Maybe even same traps that will block his attack > entirely. Sure, everything can be figured out over time. To answer your question, personally I drop everything silently on the firewall (like Russel) on the outside interface. On the inside interface I prefer to send a TCP-Reset so that internal devices get on with their business and don't hang in timeout states. Keep in mind that my policy (just like yours I hope) takes a "deny all, allow required" stance. Firewalls that allow all and filter out certain port ranges may be better off with TCP-RST while deny-all firewalls may be better off with silent drops. I don't think you will always be able to completely hide a system though (especially when it serves a purpose, like email ;) However, a thought just came to mind. Would it be better (from a cover-up point of view) to have the firewall send a spoofed ICMP-Host-Unreachable packet with the routers IP address? :) Cheers, Frank
This archive was generated by hypermail 2b30 : Mon Jul 28 2003 - 15:21:30 PDT