> Reply-To: <muaddib@mailandnews.com>
> From: "Pol Muaddib" <muaddib@mailandnews.com>
> To: "Radel" <netfilter@radel.yi.org>, <netfilter@lists.samba.org>
> Subject: RE: gracefull rst.
> Date: Sun, 5 Aug 2001 12:19:12 +0200
>
> You are right, maybe it was a bad analogy. i personally use -j
> REJECT --reject-with tcp-reset .
> In regard for a software with redirect, I Don't want a software and i don't
> need to redirect a simple program i could make in perl. In regard to the
> ddos attacks, if a 13 year old script kiddie wants he could attack my server
> using a udp packet storm, from a few sub7server infected cable modems, and
> thats that. No firewall is gonna stop it. If you think otherwise, just ask
> steve gibson http://grc.com/dos/grcdos.htm
> Anyway, i was asking this question for legitimate reasons (i think).
> First, i want to appologize if i misled you.
> My line of thinking was, if there was any module developed for iptables that
> can be programmed to return a short message when opening a port (say 113).
> for example, open port 113 -> "go away" -> close.
1) This is application specific. Not all the application protocols are ascii
like 21, 25, 80, ... there are some binary applications like 53. You are
not going to tell me that netfilter should know all the protocols to come
up with the right "go away", are you?
2) Actually sending a RST is exactly "go away -> close" but in a firm way.
3) grc.com 's story is more a link saturation story than anything else. Your
way of polite closing the door will contribute to that link sturation.
4) What do you think rate limiting that you're talking about does; it simply
ignores those packets.
5) I don't see any benefit in doing the firewalling the way you described.
What is the "straightforwardness" and "security" about this gracefulness?
Ramin
> It is true that it could saturate the cpu, but so does other services. it is
> just more straightforward and secure to put it as feature on the firewall.
> besides, you could always do connection limit to stop the saturation.
> iptables ip contracking and packet fragments reassembling is indeed a needed
> feature, but iptables is vulnerable to cpu saturation because of it, so a
> legit port with a short message is not a real problem :).
>
> * - * - *
> Tzahi Fadida
> Tzahi@mailandnews.com
> Fax (+1 Outside the US) 240-597-3213
> * - * - * - * - * - *
> From: "Pol Muaddib" <muaddib@mailandnews.com>
> To: "Radel" <netfilter@radel.yi.org>, <netfilter@lists.samba.org>
> Subject: RE: gracefull rst.
> Date: Sun, 5 Aug 2001 12:19:12 +0200
>
> You are right, maybe it was a bad analogy. i personally use -j
> REJECT --reject-with tcp-reset .
> In regard for a software with redirect, I Don't want a software and i don't
> need to redirect a simple program i could make in perl. In regard to the
> ddos attacks, if a 13 year old script kiddie wants he could attack my server
> using a udp packet storm, from a few sub7server infected cable modems, and
> thats that. No firewall is gonna stop it. If you think otherwise, just ask
> steve gibson http://grc.com/dos/grcdos.htm
> Anyway, i was asking this question for legitimate reasons (i think).
> First, i want to appologize if i misled you.
> My line of thinking was, if there was any module developed for iptables that
> can be programmed to return a short message when opening a port (say 113).
> for example, open port 113 -> "go away" -> close.
1) This is application specific. Not all the application protocols are ascii
like 21, 25, 80, ... there are some binary applications like 53. You are
not going to tell me that netfilter should know all the protocols to come
up with the right "go away", are you?
2) Actually sending a RST is exactly "go away -> close" but in a firm way.
3) grc.com 's story is more a link saturation story than anything else. Your
way of polite closing the door will contribute to that link sturation.
4) What do you think rate limiting that you're talking about does; it simply
ignores those packets.
5) I don't see any benefit in doing the firewalling the way you described.
What is the "straightforwardness" and "security" about this gracefulness?
Ramin
> It is true that it could saturate the cpu, but so does other services. it is
> just more straightforward and secure to put it as feature on the firewall.
> besides, you could always do connection limit to stop the saturation.
> iptables ip contracking and packet fragments reassembling is indeed a needed
> feature, but iptables is vulnerable to cpu saturation because of it, so a
> legit port with a short message is not a real problem :).
>
> * - * - *
> Tzahi Fadida
> Tzahi@mailandnews.com
> Fax (+1 Outside the US) 240-597-3213
> * - * - * - * - * - *