[plug] iptables rules

James Devenish devenish at guild.uwa.edu.au
Tue May 20 14:50:40 WST 2003


In message <3EC9CD69.30100 at wn.com.au>
on Tue, May 20, 2003 at 02:38:33PM +0800, Ben Jensz wrote:
> If there are no open ports on the machine and all ports are set to drop 
> traffic, nmap won't even know if there is a machine unless it responds 
> in some way to new connections coming into that specific interface. 

I don't know about nmap, but dropping all traffic is NOT the same as
'not even being there'. If there is no machine there, ICMP responses
will be sent (to the tune of 'host unreachable'). If a machine drops
all packets and no ICMP is sent, then that says 'either my ISP can't
talk to the Internet properly or I have a precious machine that I am
trying to hide'.

> >I want to stop the following ports from being listed

(a) If you are running public services on an unfirewalled machine but
    don't want them to the public: reconfigure your daemons to stop
    making their services public.

(b) If you are running public services but wish to restrict them
    to only "friendly" hosts: configure your packet filter
    to issue 'connection refused' to any non-friendly hosts
    (solves Ben's problem).




More information about the plug mailing list