Re: re : Re: [Firestarter-user] reverting back to Version 0.7.1
Brought to you by:
majix
From: Jack B. <jb...@sh...> - 2002-07-28 18:19:35
|
** Reply to message from od...@al... on Sun, 28 Jul 2002 09:35:15 +0200 (CEST) > ** Reply to message from Jack Bowling on Sat, 27 Jul 2002 > > > > I had a strange experience a couple of days ago, testing my > > > Firestarter 8.2-3 (the unofficial "close all" script). Actually I > > > installed, tried out and got rid of Redhat 7.3. I installed it with > > > the standard 2.4.18 kernel and iptables. The strange thing was that > > > I got a lot of trojan ports reported as "closed" and not as > > > "stealth" on the Trojan test page at http://www.pcflank.com - which > > > is rather embarrasiing as you then are visible. > > > > The difference between showing closed and stealth is the difference > > between the default DENY or default REJECT. This is a setting in the > > FS GUI: Preferences -> Advanced -> Preferred Packet Rejection Method. > > If you have it set to Reject, then your firewall will send a Port > > Unreachable message back with the return packet which the scanner will > > interpret as a Closed port. If you have it set for Deny, then your > > firewall will simply drop the scan packet without sending any return > > packet; for all intents and purposes you are invisible and the scan > > engine will see it as being in Stealth mode. > > You are right, Jack. But you know, I was describing an odd > problem, which probably has something to do with kernel 2.4.18 and > iptables (in Redhat 7.3 and Mandrake 8.0/8.1/8.2). I use the > Firestarter "closed all" version (8.2-3) with DENY as default setting. > The strange thing is that I obtain all ports stealthed ONLY with a > 2.2.20 kernel and ipchains, even if Firestarter 8.2-3 has been compiled > with Redhat 7.3 and a 2.4-kernel... Hmmm. Well, all I can say is that I have FS 0.8.2-3 running here on my box with the iptables 1.2.5-3 rpm and the 2.4.18-5 kernel and things are fine. I will be converting to mainline 2.4.19 kernel/latest iptables CVS whenever it is released so I'll let you know if there are any changes. > > In truth, Deny only works to deceive 100% if you have *all* ports > > closed. If a scan engine sees just one port open and the rest are > > stealthed, then it is pretty easy to conclude that there is a firewall > > up. However, if you have it set to Reject then the scan engine knows > > right away that there is an active firewall up. Your firewall box CPU > > will be busier using Reject since it takes some processing power to > > send the packet back to the originating host. And if you ever do have > > the misfortune to be Dos'ed by some script kiddie, then Reject will > > likely lead to bandwidth saturation much earlier than if using Deny > > since your box will be trying to reply to all the incoming packets > > instead of just ignoring them. > > I never use the Reject method (also tcp_wrappers is set to DENY as > default). I once had one of those script kiddies trying to get in, but > Firestarter made a nice job. It is really the best firewall script I > have had until now. Agreed. jb |