[Dshield] firewall policy recomendations

Chad Albert chadalbert at mchsi.com
Wed May 29 14:01:18 GMT 2002


I am curious to know what most people on this list think is the best
practice when blocking traffic with a firewall.  I see many firewalls that
drop unwanted TCP packets, many that send a rst packet, some drop unwanted
UDP, and some send ICMP type 3 (destination unreachable).  I have heard
arguments that suggest rst packets and ICMP type 3 hide the fact that you
have a firewall by responding as if it were coming from a non protected host
that is just not listening on any ports.  This makes it harder for an
attacker to size up his / her target.  I have also heard the opinion that
dropping the packets will just make it harder for the attacker to get to the
host at all.  I tend to lean toward the second option since it is generally
not that hard to see that there is a firewall in place and examining the
responses can give away make and model, but I would like to hear from other
firewall admins to see if my opinion needs to change.

TIA

Chad Albert




=========================================
Microsoft     "Where do you want to go today?"
Linux           "Where do you want to go tomorrow?"
FreeBSD     "Are you guys coming or what?"
=========================================






---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.365 / Virus Database: 202 - Release Date: 5/24/2002




More information about the list mailing list