[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Portsentry, ipchains and pmfirewall

Subject: Re: [cobalt-security] Portsentry, ipchains and pmfirewall
From: "E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>
Date: Tue, 22 Jan 2002 23:14:14 +0000 (GMT)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

> Date: Wed, 23 Jan 2002 01:12:54 +0300
> From: Eugene Crosser <crosser@xxxxxxxxxxx>

> This sould have been some other problem.  SSH session does not die
> if firewall blocks the packets, at least for 10 minutes or somesuch,
> that is TCP keepalive period.  Things *may* (fail to) work the way
> you say if you use 'REJECT' target instead of 'DENY', and only if you
> are unlucky.

The "unlucky" bit is why I redirect stdin and stderr to /dev/null
and also append an ampersand to put the process in the
background.

As for reject vs. deny, I say reject.  The RFC (I forget the
number) specifies that a closed TCP port should send an RST, and
not just ignore the packet.  Unless one wishes to attempt to
obfuscate a server's existence, it's much better to reject
instead of leaving clients hanging.

> Of course if we are speaking about debugging new rulesets, the more
> robust you make your recovery tool the better.  Especially if your
> server is in a datacenter on the other side of the Earth ;)  When
> you have debugged the ruleset and it is known to work right, I vote
> for activating it immediately after reboot, without delays.  Otherwise,
> the bad guy who knows that there is an open window after reboot may
> try to trick you into rebooting (social engineering, DoS attack, ...)
> to use it and get inside.

Yes...

> (Yeah, right.  Paranoia.  That's part of my job :-)
> 
> Eugene


Eddy

---------------------------------------------------------------------------
Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (316) 794-8922 Wichita/(Inter)national
Phone: +1 (785) 865-5885 Lawrence
---------------------------------------------------------------------------

Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.  Do NOT
send mail to <blacklist@xxxxxxxxx>, or you are likely to be blocked.

References:
- Re: [cobalt-security] Portsentry, ipchains and pmfirewall
  - From: Eugene Crosser

Prev by Date: Re: [cobalt-security] Portsentry, ipchains and pmfirewall
Next by Date: Re: [cobalt-security] Portsentry, ipchains and pmfirewall
Previous by thread: Re: [cobalt-security] Portsentry, ipchains and pmfirewall
Next by thread: Re: [cobalt-security] Portsentry, ipchains and pmfirewall

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index