firewall config (was: Re: [Firehol-support] Re: whitelisting)
JusTiCe8
justice8 at wanadoo.fr
Fri Jul 16 10:54:31 BST 2004
Hi Goetz,
Goetz Bock a écrit :
>On Fri, Jul 16 '04 at 10:23, JusTiCe8 wrote:
>
>
>>In a security point of view, it's better to drop instead of reject
>>everything which is not welcomed from internet, in order to don't give
>>any hints to a potential attacker.
>>
>>
>
>Actually this is wrong :-)
>
>
>
Yes... when the firewall is not configured correctly as you say later.
>Lets assume you just offer ssh and drop the rest. And you have a
>router/switch between you and the internet.
>
>You get a package for your IP, this reaches your switch. The router
>knows that the IP is on it's internal side, so it tries to discover your
>MAC using ARP. It get's your MAC and sends the IP package on it's way.
>Your firewall drops the package ... it's gone
>
>OTOH if there is no PC with the requested IP the router will send back a
>ICMP package saying "Sorry noone with this IP here". This is unless you
>filter ICMP ... for what you ought to be shot (google if you want to
>know why).
>
>
Firewall should let packets moves - 1 from router to firewall/network,
and 2 from firewall/network to router. Am I wrong ?
J8.
More information about the Firehol-support
mailing list