Netfilter/Ipchains best practices -- the stealthing debate.
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Netfilter/Ipchains best practices -- the stealthing debate.

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255

    Netfilter/Ipchains best practices -- the stealthing debate.

    Anyone who's familiar with Netfilter could probably skip the first paragraph or two.



    Those who aren't familiar with Netfilter and/or Ipchains, I'll try and give you a brief description. Ipchains is a packet-level firewall included with most, if not all, linux distributions. It offers COMPLETE port-based firewalling, such as you might want on a border router for a company's network. Netfilter is an expanded version of ipchains that allows for quite a bit more functionality. It is port-based, but is also a 'stateful firewall', which basically means that it can examine the 'state' of any packets, and then respond in a variety of ways depending on how your firewall is configured.



    Ipchains and Netfilter are something that I think EVERYONE who's running a linux distribution at home should know inside out. It's really what can lock down your system and make things quite a bit more secure.

    I would suggest anyone interested in a more complete answer to what Netfilter and ipchains are should take a look at the following two pages:

    For Netfilter: http://netfilter.samba.org/netfilter-faq.html

    For Ipchains: http://www.niemueller.de/webmin/modu...ains-faq.shtml



    Now, onto my question.



    Those of you who are familiar with ipchans/netfilter will no doubt have certain policies regarding whether you REJECT a packet or whether you DROP/DENY a packet.

    My question is: What do you guys prefer and why?
    DROP or REJECT, and why?
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?
    Share on Google+

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Does anybody care for this kind of discussion?
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?
    Share on Google+

  3. #3
    Senior Member
    Join Date
    Sep 2001
    Posts
    429
    I prefer to drop packets, this ties up the scanner and doesn't prove that there's aport listenining.
    Deny & Reject allow the (potential) attacker to know your there.

    Anybody else have any input?
    Share on Google+

  4. #4
    Junior Member
    Join Date
    Aug 2001
    Posts
    23
    Personally I drop strangely ported packets, because im for some reason prone to portscans. Hopefully whoevers scanning me gets tired of waiting for all his pings to timeout and leaves me alone.
    Share on Google+

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Originally posted by jcdux
    I prefer to drop packets, this ties up the scanner and doesn't prove that there's aport listenining.
    Deny & Reject allow the (potential) attacker to know your there.

    Anybody else have any input?
    Actually, DROP and DENY are one and the same (just a different term used between ipchains and iptables).

    You're right in that it shows a 'port' isn't listening, but so does REJECT. DENY/DROP CAN be used to determine if a machine is there at all unfortunately.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?
    Share on Google+

  6. #6
    Member
    Join Date
    Oct 2001
    Posts
    88
    DROP is the way to go. Deny is not really a bad sign to a hacker, if there is some script O' nastie that he has for `well known port' such and such then he can go about beating up your firewall.

    Netfilter and Iptables (Ipchans) are great. I like ipfilter a bit better (non glibc systems only at the moment) because the rules are essentially plain text and you can get *very* specific when accompanied by nat and tun.

    Cool post, love to see that security related stuff on AO.
    Share on Google+

  7. #7
    Senior Member
    Join Date
    Sep 2001
    Posts
    412
    Not sure how i missed this thread when it was originally posted.
    Chsh - i /nearly/ always use drop, it may not be completely invisible to everyone but it does go some way to hiding your boxen. It may be better to use reject for some udp broadcast traffic though (like ident) as this will help prevent lag.
    If your writing a firewall for an internal network though, and want to block certain services to people, it would probably be better manners to use the reject switch, better to let people know straight away they can't get through then having them sitting waiting for the connection to time out.

    Just my half a denari.
    Share on Google+

  8. #8
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    What I'm seeing is a trend to try and protect yourselves from script kiddies. Basically you're setting up defenses that deal with the generic portscan, and the occassional attmempted break-in.

    Is that accurate?
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?
    Share on Google+

  9. #9
    Senior Member
    Join Date
    Sep 2001
    Posts
    412
    Being as that would be the most prevalent form of attack, yes, that would be accurate - do i detect from the tone of your post you're operating on some higher level, where script kiddie attacks are of no concern?
    Maybe instead of assuming some intellectual high ground without any evidence to back it up, you could enlighten us as to what is your firewall does.
    Share on Google+

  10. #10
    Senior Member
    Join Date
    Sep 2001
    Posts
    412
    There is a chance that i'm being presumptous about your intellectual high ground - i'm in a stinkin mood - if i'm wrong - i apologise.
    Share on Google+

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •