[Dshield] firewall policy recomendations

Chad Albert chadalbert at mchsi.com
Wed May 29 14:01:18 GMT 2002

I am curious to know what most people on this list think is the best
practice when blocking traffic with a firewall.  I see many firewalls that
drop unwanted TCP packets, many that send a rst packet, some drop unwanted
UDP, and some send ICMP type 3 (destination unreachable).  I have heard
arguments that suggest rst packets and ICMP type 3 hide the fact that you
have a firewall by responding as if it were coming from a non protected host
that is just not listening on any ports.  This makes it harder for an
attacker to size up his / her target.  I have also heard the opinion that
dropping the packets will just make it harder for the attacker to get to the
host at all.  I tend to lean toward the second option since it is generally
not that hard to see that there is a firewall in place and examining the
responses can give away make and model, but I would like to hear from other
firewall admins to see if my opinion needs to change.


Chad Albert

Microsoft     "Where do you want to go today?"
Linux           "Where do you want to go tomorrow?"
FreeBSD     "Are you guys coming or what?"

Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.365 / Virus Database: 202 - Release Date: 5/24/2002

More information about the list mailing list