[Dshield] firewall policy recomendations

Kenneth Porter shiva at sewingwitch.com
Wed May 29 15:34:52 GMT 2002


On Wed, 2002-05-29 at 07:01, Chad Albert wrote:
> I am curious to know what most people on this list think is the best
> practice when blocking traffic with a firewall.  I see many firewalls that
> drop unwanted TCP packets, many that send a rst packet, some drop unwanted
> UDP, and some send ICMP type 3 (destination unreachable).

Drop anything you don't expect. That'll tie up a prober waiting for his
SYN to be ACK'd, slowing down his scans.

If you expect a packet but don't provide the service, use your choice of
reject replies. For instance, an IRC server I connect to replies with a
check for a SOCKS proxy. If I drop that check, my IRC connection takes
many seconds to complete. By rejecting it instead, the server gives up
immediately and quickly finishes the connection.

Iptables lets you choose which icmp to reply with when rejecting a
connection, and I've been using fwbuilder's default setting of
icmp-host-prohibited.




More information about the list mailing list