[plug] iptables rules
Ben Jensz
jensz at wn.com.au
Tue May 20 15:07:35 WST 2003
James Devenish wrote:
>I don't know about nmap, but dropping all traffic is NOT the same as
>'not even being there'. If there is no machine there, ICMP responses
>will be sent (to the tune of 'host unreachable'). If a machine drops
>all packets and no ICMP is sent, then that says 'either my ISP can't
>talk to the Internet properly or I have a precious machine that I am
>trying to hide'.
>
>
Well that is debatable. If the last router/machine the data went
through is on the same network subnet, then it generally just times out
and doesn't give a destination host unreachable. Its irrelevant anyway,
as Jon was asking how to specifically hide ports from nmap. There are
of course other ways of finding out whether a machine exists or not, but
this is purely based on nmap discovery.
>
>(a) If you are running public services on an unfirewalled machine but
> don't want them to the public: reconfigure your daemons to stop
> making their services public.
>
>
I'm assuming that Jon probably wants to be able to access certain
services remotely, so hence the need to firewall them.
>(b) If you are running public services but wish to restrict them
> to only "friendly" hosts: configure your packet filter
> to issue 'connection refused' to any non-friendly hosts
> (solves Ben's problem).
>
>
Well actually if you say reject with iptables, last time I checked, nmap
still saw it as a firewalled port that was open and not in fact a closed
port.
/ Ben
More information about the plug
mailing list