[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Portsentry, ipchains and pmfirewall
- Subject: Re: [cobalt-security] Portsentry, ipchains and pmfirewall
- From: "E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>
- Date: Tue, 22 Jan 2002 23:14:14 +0000 (GMT)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
> Date: Wed, 23 Jan 2002 01:12:54 +0300
> From: Eugene Crosser <crosser@xxxxxxxxxxx>
> This sould have been some other problem. SSH session does not die
> if firewall blocks the packets, at least for 10 minutes or somesuch,
> that is TCP keepalive period. Things *may* (fail to) work the way
> you say if you use 'REJECT' target instead of 'DENY', and only if you
> are unlucky.
The "unlucky" bit is why I redirect stdin and stderr to /dev/null
and also append an ampersand to put the process in the
background.
As for reject vs. deny, I say reject. The RFC (I forget the
number) specifies that a closed TCP port should send an RST, and
not just ignore the packet. Unless one wishes to attempt to
obfuscate a server's existence, it's much better to reject
instead of leaving clients hanging.
> Of course if we are speaking about debugging new rulesets, the more
> robust you make your recovery tool the better. Especially if your
> server is in a datacenter on the other side of the Earth ;) When
> you have debugged the ruleset and it is known to work right, I vote
> for activating it immediately after reboot, without delays. Otherwise,
> the bad guy who knows that there is an open window after reboot may
> try to trick you into rebooting (social engineering, DoS attack, ...)
> to use it and get inside.
Yes...
> (Yeah, right. Paranoia. That's part of my job :-)
>
> Eugene
Eddy
---------------------------------------------------------------------------
Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (316) 794-8922 Wichita/(Inter)national
Phone: +1 (785) 865-5885 Lawrence
---------------------------------------------------------------------------
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.
These last few lines are a trap for address-harvesting spambots. Do NOT
send mail to <blacklist@xxxxxxxxx>, or you are likely to be blocked.