adaptive stealth in ipfw?

Roman Neuhauser neuhauser at bellavista.cz
Sun Nov 30 07:49:56 PST 2003 

# freebsd at keyslapper.org / 2003-11-28 12:58:33 -0500:
> On 11/28/03 06:11 PM, Christian Laursen sat at the `puter and typed:
> > Louis LeBlanc <freebsd at keyslapper.org> writes:
> > 
> > > I was introduced to a fantastic web site, http://www.grc.com/ which
> > > has some impressive information about security and a number of other
> > > things.  Steve Gibsons 'Shields Up' web service will scan your system
> > > and tell you where your vulnerabilities lie, and explain the ports in
> > > pretty good detail.
> > 
> > http://www.grcsucks.com/
> 
> Hmm.  Interesting site.  I'm sure I'll find some interesting stuff
> there too, but it looks like the person running the site has no
> greater pupose in life than character assassination.  Not that he's
> altogether wrong.  I'd have to read more and decide myself what I
> really think.  I'm no security expert - I'm only going on what I *do*
> know (or think I know), so I'd just as soon not get into a flame war
> over who the idiot really is - I haven't much defense for myself in
> the security arena :).
> 
> Still, if anyone *does* know the facts, I'd like to know what the case
> really is with the IDENT port and adaptive stealth.

    don't get carried away by the nonsense at grc.com. the
    marketroid-speak term "adaptive stealth" can be normally described
    as stateful filtering (and dropping the packets instead of rejecting
    them), and it means that (in case of TCP), the target machine throws
    away packets that:

    * don't have the SYN bit set (and the ACK bit unset)
    * are not part of an established "conversation"

    you can completely "stealth" a machine if it runs no publically
    available servers. the problem with ident is similar to FTP: the
    first connection goes from you out, the other party then tries to
    connect to you (as far as the stack is concerned, this is a
    completely unrelated connection).

    but, the question is: what is your problem? why do you need to have
    identd(8) running? will anything you need break without it? if not,
    the correct solution to your problem is IMO to *reject* connection
    attempts to your port 113.

-- 
If you cc me or remove the list(s) completely I'll most likely ignore
your message.    see http://www.eyrie.org./~eagle/faqs/questions.html

More information about the freebsd-questions mailing list