You are not logged in.
- Topics: Active | Unanswered
#1 2006-10-21 14:08:07
- dtw
- Forum Fellow
- From: UK
- Registered: 2004-08-03
- Posts: 4,439
- Website
brain0's simple stateful firewall - knockd & stealth
I added a bit to the wiki page about using knockd with this firewall - is what I wrote "correct"? It makes sense to me to make changes to the open chain with knockd rather than to the INPUT chain as that is the whole point of the open chain, is it not?
I was also wondering about the REJECT commands:
# iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
# iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable I know that some people prefer to the stealth approach whereby such packets are DROPped rather than REJECTed and that others think that "stealth" is a load of rubbish. Presumably you could just change those REJECTs to DROPs if you so wished?
Offline
#2 2006-11-09 22:37:16
- brain0
- Developer
- From: Aachen - Germany
- Registered: 2005-01-03
- Posts: 1,382
Re: brain0's simple stateful firewall - knockd & stealth
I added a bit to the wiki page about using knockd with this firewall - is what I wrote "correct"? It makes sense to me to make changes to the open chain with knockd rather than to the INPUT chain as that is the whole point of the open chain, is it not?
It seems correct. And you are right, it is exactly the way the open chain is supposed to be used. But (after reading your other thread) I am wondering if netfilter is blocking the knocks itself. If knockd is parsing all network traffic (like pcap for example) it will see the knocks even if netfilter blocks them. But if it just listens on the ports in question, your knocks will be blocked.
I was also wondering about the REJECT commands:
# iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset # iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachableI know that some people prefer to the stealth approach whereby such packets are DROPped rather than REJECTed and that others think that "stealth" is a load of rubbish. Presumably you could just change those REJECTs to DROPs if you so wished?
The two rules above behave exactly the way Linux behaves if there is no firewall configured.
There is no stealth on the internet. If your computer is offline, the next router will notify the host trying to contact you (icmp-host-unreachable). If you are online and DROP packets, you will gain nothing, but you will be a part of destroying the internet *g. IF for example a packet is sent to you to open a new TCP connection, the client will wait several minutes before running into a timeout. The normal behaviour would be to receive a TCP-reset so it knows immediately that the host doesn't offer a service.
People/vendors who claim that their firewall settings will make you appear invisible are simply lying or don't know what they are talking about.
Offline