security

Daniel Roethlisberger daniel at roe.ch
Sun Oct 7 09:27:02 PDT 2001


J.A. Neitzel <jan.listbox at belvento.org> wrote:
> What if this dial-up (via PPP link?) machine has 0 (zero) ports
> listening for connections. In a situation like this, can a

This is very theoretical. I've never seen a box which had no
listening ports at all. Do you agree with me that 99.9% of all
finished LFS boxes have at least one service running by the time
they connect to the Internet? There's hardly any box without any
sshd, telnetd, or ftpd installed, don't you think?

> firewall serve any really useful purpose? Probably it can, but
> could you maybe give small example to illustrate?

There's many things you don't want, even if you don't actually
have any ports open on purpose. Some of them are deny access to
accidentally opened ports, stop OS fingerprinting (nmap, queso, x,
..), port scanning (nmap, hping, nessus, whatever), drop
potentially dangerous ICMP types (those "without any socially
redeeming value" as someone once put it), drop garbage coming from
reserved address ranges, drop smurfed ICMP Echo Requests, drop TCP
Timestamps, drop source-routed IP, the list is neverending. And,
flaws in TCP/IP stacks are found from time to time; if you have it
all closed down then the chance someone can use it against you is
a lot smaller. Just like safer sex :o)

Cheers,
Dan


-- 
   Daniel Roethlisberger <daniel at roe.ch>
   PGP Key ID 0x8DE543ED with fingerprint
   6C10 83D7 2BB8 D908 10AE  7FA3 0779 0355 8DE5 43ED

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message



More information about the blfs-support mailing list