[Firehol-support] Re: whitelisting

Goetz Bock bock at blacknet.de
Fri Jul 16 09:50:07 BST 2004

On Fri, Jul 16 '04 at 10:23, JusTiCe8 wrote:
> >
> In a security point of view, it's better to drop instead of reject 
> everything which is not welcomed from internet, in order to don't give 
> any hints to a potential attacker.

Actually this is wrong :-)

Lets assume you just offer ssh and drop the rest. And you have a
router/switch between you and the internet.

You get a package for your IP, this reaches your switch. The router
knows that the IP is on it's internal side, so it tries to discover your
MAC using ARP. It get's your MAC and sends the IP package on it's way.
Your firewall drops the package ... it's gone

OTOH if there is no PC with the requested IP the router will send back a
ICMP package saying "Sorry noone with this IP here". This is unless you
filter ICMP ... for what you ought to be shot (google if you want to
know why).
Goetz Bock       (c) 2004 as     blacknet.de - Munich - Germany   /"\
IT Consultant  Creative Commons  secure mobile Linux everNETting  \ /
 ASCII Ribbon Campaign against HTML email & microsoft attachments / \

More information about the Firehol-support mailing list